There are no recently resolved issues at this time.
+
| Summary | Originating update | Status | Date resolved |
+ Loss of functionality in Dynabook Smartphone Link app
After updating to Windows 10, version 1903, you may experience a loss of functionality when using the Dynabook Smartphone Link application.
See details > | OS Build 18362.116
May 20, 2019
KB4505057 | Resolved
| July 11, 2019
01:54 PM PT |
+ Audio not working with Dolby Atmos headphones and home theater
Users may experience audio loss with Dolby Atmos headphones or Dolby Atmos home theater.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
| July 11, 2019
01:53 PM PT |
+ Error attempting to update with external USB device or memory card attached
PCs with an external USB device or SD memory card attached may get error: \"This PC can't be upgraded to Windows 10.\"
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
| July 11, 2019
01:53 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 18362.175
June 11, 2019
KB4503293 | Resolved
KB4501375 | June 27, 2019
10:00 AM PT |
+ Duplicate folders and documents showing in user profile directory
If known folders (e.g. Desktop, Documents, or Pictures folders) are redirected, an empty folder with that same name may be created.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
KB4497935 | May 29, 2019
02:00 PM PT |
+ Older versions of BattlEye anti-cheat software incompatible
Microsoft and BattlEye have identified a compatibility issue with some games that use older versions of BattlEye anti-cheat software.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
| June 07, 2019
04:26 PM PT |
+ AMD RAID driver incompatibility
Installation process may stop when trying to install Windows 10, version 1903 update on computers that run certain versions of AMD RAID drivers.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
| June 06, 2019
11:06 AM PT |
+ D3D applications and games may fail to enter full-screen mode on rotated displays
Some Direct3D (D3D) applications and games may fail to enter full-screen mode on rotated displays.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
KB4497935 | May 29, 2019
02:00 PM PT |
+
+ "
+
+- title: Issue details
+- items:
+ - type: markdown
+ text: "
+
- "
+ "
+- title: June 2019
+- items:
+ - type: markdown
+ text: "
+
| Details | Originating update | Status | History |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4501375.
Back to top | OS Build 18362.175
June 11, 2019
KB4503293 | Resolved
KB4501375 | Resolved:
June 27, 2019
10:00 AM PT
Opened:
June 12, 2019
11:11 AM PT |
+
+ "
+
+- title: May 2019
+- items:
+ - type: markdown
+ text: "
+
| Details | Originating update | Status | History |
+ | Loss of functionality in Dynabook Smartphone Link app Some users may experience a loss of functionality after updating to Windows 10, version 1903 when using the Dynabook Smartphone Link application on Windows devices. Loss of functionality may affect the display of phone numbers in the Call menu and the ability to answer phone calls on the Windows PC.
To safeguard your update experience, we have applied a compatibility hold on devices with Dynabook Smartphone Link from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms: - Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Window 10, version 1903.
Back to top | OS Build 18362.116
May 20, 2019
KB4505057 | Resolved
| Resolved:
July 11, 2019
01:54 PM PT
Opened:
May 24, 2019
03:10 PM PT |
+ | Audio not working with Dolby Atmos headphones and home theater After updating to Windows 10, version 1903, you may experience loss of audio with Dolby Atmos for home theater (free extension) or Dolby Atmos for headphones (paid extension) acquired through the Microsoft Store due to a licensing configuration error. This occurs due to an issue with a Microsoft Store licensing component, where license holders are not able to connect to the Dolby Access app and enable Dolby Atmos extensions. To safeguard your update experience, we have applied protective hold on devices from being offered Windows 10, version 1903 until this issue is resolved. This configuration error will not result in loss of access for the acquired license once the problem is resolved.
Affected platforms: - Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Window 10, version 1903.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
| Resolved:
July 11, 2019
01:53 PM PT
Opened:
May 21, 2019
07:16 AM PT |
+ | Error attempting to update with external USB device or memory card attached If you have an external USB device or SD memory card attached when installing Windows 10, version 1903, you may get an error message stating \"This PC can't be upgraded to Windows 10.\" This is caused by inappropriate drive reassignment during installation.
Sample scenario: An update to Windows 10, version 1903 is attempted on a computer that has a thumb drive inserted into its USB port. Before the update, the thumb drive is mounted in the system as drive G based on the existing drive configuration. After the feature update is installed; however, the device is reassigned a different drive letter (e.g., drive H).
Note The drive reassignment is not limited to removable drives. Internal hard drives may also be affected.
To safeguard your update experience, we have applied a hold on devices with an external USB device or SD memory card attached from being offered Windows 10, version 1903 until this issue is resolved.
Affected platforms: - Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Window 10, version 1903.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
| Resolved:
July 11, 2019
01:53 PM PT
Opened:
May 21, 2019
07:38 AM PT |
+ | Duplicate folders and documents showing in user profile directory If you have redirected known folders (e.g. Desktop, Documents, or Pictures folders) you may see an empty folder with the same name in your %userprofile% directories after updating to Windows 10, version 1903. This may occur if known folders were redirected when you chose to back up your content to OneDrive using the OneDrive wizard, or if you chose to back up your content during the Windows Out-of-Box-Experience (OOBE). This may also occur if you redirected your known folders manually through the Properties dialog box in File Explorer. This issue does not cause any user files to be deleted and a solution is in progress.
To safeguard your update experience, we have applied a quality hold on devices with redirected known folders from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms: - Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4497935 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Window 10, version 1903. (Posted June 11, 2019)
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
KB4497935 | Resolved:
May 29, 2019
02:00 PM PT
Opened:
May 21, 2019
07:16 AM PT |
+ | Older versions of BattlEye anti-cheat software incompatible Microsoft and BattlEye have identified a compatibility issue with some games that use older versions of BattlEye anti-cheat software. When launching a game that uses an older, impacted version of BattlEye anti-cheat software on a device running Windows 10, version 1903, the device may experience a system crash.
To safeguard your gaming experience, we have applied a compatibility hold on devices with the impacted versions of BattlEye software used by games installed on your PC. This will prevent Windows 10, version 1903 from being offered until the incompatible version of BattlEye software is no longer installed on the device.
Affected platforms: - Client: Windows 10, version 1903
Workaround: Before updating your machine, we recommend you do one or more of the following:
- Verify that your game is up to date with the latest available version of BattlEye software. Some game platforms allow you to validate your game files, which can confirm that your installation is fully up to date.
- Restart your system and open the game again.
- Uninstall BattlEye using https://www.battleye.com/downloads/UninstallBE.exe, and then reopen your game.
- Uninstall and reinstall your game.
Resolution: This issue was resolved externally by BattlEye for all known impacted games. For a list of recent games that use BattlEye, go to https://www.battleye.com/. We recommend following the workaround before updating to Windows 10, version 1903, as games with incompatible versions of BattleEye may fail to open after updating Windows. If you have confirmed your game is up to date and you have any issues with opening games related to a BattlEye error, please see https://www.battleye.com/support/faq/.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
| Resolved:
June 07, 2019
04:26 PM PT
Opened:
May 21, 2019
07:34 AM PT |
+ | AMD RAID driver incompatibility Microsoft and AMD have identified an incompatibility with AMD RAID driver versions earlier than 9.2.0.105. When you attempt to install the Windows 10, version 1903 update on a Windows 10-based computer with an affected driver version, the installation process stops and you get a message like the following: AMD Ryzen™ or AMD Ryzen™ Threadripper™ configured in SATA or NVMe RAID mode. “A driver is installed that causes stability problems on Windows. This driver will be disabled. Check with your software/driver provider for an updated version that runs on this version of Windows.” To safeguard your update experience, we have applied a compatibility hold on devices with these AMD drivers from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms: - Client: Windows 10, version 1903
Resolution: This issue has been resolved externally by AMD. To resolve this issue, you will need to download the latest AMD RAID drivers directly from AMD at https://www.amd.com/en/support/chipsets/amd-socket-tr4/x399. The drivers must be version 9.2.0.105 or later. Install the drivers on the affected computer, and then restart the installation process for the Windows 10, version 1903 feature update. Note The safeguard hold will remain in place on machines with the older AMD RAID drivers. We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
| Resolved:
June 06, 2019
11:06 AM PT
Opened:
May 21, 2019
07:12 AM PT |
+ | D3D applications and games may fail to enter full-screen mode on rotated displays Some Direct3D (D3D) applications and games (e.g., 3DMark) may fail to enter full-screen mode on displays where the display orientation has been changed from the default (e.g., a landscape display in portrait mode).
Affected platforms: - Client: Windows 10, version 1903
- Server: Windows Server, version 1903
Resolution: This issue was resolved in KB4497935.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
KB4497935 | Resolved:
May 29, 2019
02:00 PM PT
Opened:
May 21, 2019
07:05 AM PT |
+
+ "
diff --git a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
index b1bc90a8e8..1f8c14cf98 100644
--- a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
+++ b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
@@ -32,6 +32,8 @@ sections:
- type: markdown
text: "
| Summary | Originating update | Status | Date resolved |
+ IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
See details > | May 14, 2019
KB4499164 | Resolved
KB4503277 | June 20, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503292 | Resolved
KB4503277 | June 20, 2019
02:00 PM PT |
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | May 14, 2019
KB4499164 | Resolved
KB4505050 | May 18, 2019
02:00 PM PT |
System may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.
See details > | April 09, 2019
KB4493472 | Resolved
| May 14, 2019
01:23 PM PT |
System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
See details > | April 09, 2019
KB4493472 | Resolved
| May 14, 2019
01:22 PM PT |
@@ -48,8 +50,6 @@ sections:
Internet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
See details > | February 12, 2019
KB4486563 | Resolved
KB4486565 | February 19, 2019
02:00 PM PT |
Applications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
See details > | February 12, 2019
KB4486563 | Resolved
KB4486565 | February 19, 2019
02:00 PM PT |
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
See details > | January 08, 2019
KB4480970 | Resolved
KB4486563 | February 12, 2019
10:00 AM PT |
- Local Administrators unable to remotely access shares
Local users who are part of the local Administrators group may not be able to remotely access shares on Windows Server 2008 R2 and Windows 7 machines.
See details > | January 08, 2019
KB4480970 | Resolved
KB4487345 | January 11, 2019
02:00 PM PT |
- Unable to use Seek bar in Windows Media Player
Users may not be able to use the Seek bar in Windows Media Player when playing specific files.
See details > | October 09, 2018
KB4462923 | Resolved
KB4471318 | December 11, 2018
10:00 AM PT |
"
@@ -60,6 +60,16 @@ sections:
"
+- title: June 2019
+- items:
+ - type: markdown
+ text: "
+
| Details | Originating update | Status | History |
+ | IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Resolution: This issue was resolved in Preview Rollup KB4503277. If you are using the Internet Explorer cumulative updates, this issue was resolved in KB4508646.
Back to top | May 14, 2019
KB4499164 | Resolved
KB4503277 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 07, 2019
02:57 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503277. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.
Back to top | June 11, 2019
KB4503292 | Resolved
KB4503277 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
+
+ "
+
- title: May 2019
- items:
- type: markdown
@@ -112,7 +122,6 @@ sections:
Virtual machines fail to restoreAfter installing KB4480970, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”
This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4490511.
Back to top | January 08, 2019
KB4480970 | Resolved
KB4490511 | Resolved:
February 19, 2019
02:00 PM PT
Opened:
January 08, 2019
10:00 AM PT |
First character of the Japanese era name not recognized as an abbreviationAfter installing KB4480955, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4486565.
Back to top | January 17, 2019
KB4480955 | Resolved
KB4486565 | Resolved:
February 19, 2019
02:00 PM PT
Opened:
January 17, 2019
10:00 AM PT |
| Applications using Microsoft Jet database fail to open Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if the database has column names greater than 32 characters. The database will fail to open with the error, “Unrecognized Database Format”.
Affected Platforms: - Client: Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4486563.
Back to top | January 08, 2019
KB4480970 | Resolved
KB4486563 | Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PT |
-
Local Administrators unable to remotely access sharesLocal users who are part of the local Administrators group may not be able to remotely access shares on Windows Server 2008 R2 and Windows 7 machines after installing KB4480970. This does not affect domain accounts in the local Administrators group. Affected platforms: - Client: Windows 7 SP1
- Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4487345.
Back to top | January 08, 2019
KB4480970 | Resolved
KB4487345 | Resolved:
January 11, 2019
02:00 PM PT
Opened:
January 08, 2019
10:00 AM PT |
"
@@ -122,6 +131,5 @@ sections:
text: "
| Details | Originating update | Status | History |
Event Viewer may not show some event descriptions for network interface cardsAfter installing KB4462927, the Event Viewer may not show some event descriptions for network interface cards (NICs).
Affected Platforms: - Client: Windows 7 SP1
- Server: Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4489878.
Back to top | October 18, 2018
KB4462927 | Resolved
KB4489878 | Resolved:
March 12, 2019
10:00 AM PT
Opened:
October 18, 2018
10:00 AM PT |
- Unable to use Seek bar in Windows Media PlayerAfter installing KB4462923, users may not be able to use the Seek bar in Windows Media Player when playing specific files. This issue does not affect normal playback.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4471318.
Back to top | October 09, 2018
KB4462923 | Resolved
KB4471318 | Resolved:
December 11, 2018
10:00 AM PT
Opened:
October 09, 2018
10:00 AM PT |
"
diff --git a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
index 8d4bfd2222..45706d7e3c 100644
--- a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
+++ b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
@@ -32,6 +32,9 @@ sections:
- type: markdown
text: "
| Summary | Originating update | Status | Date resolved |
+ IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
See details > | May 14, 2019
KB4499151 | Resolved
KB4503283 | June 20, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503276 | Resolved
KB4503283 | June 20, 2019
02:00 PM PT |
+ Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.
See details > | March 12, 2019
KB4489881 | Resolved
KB4503276 | June 11, 2019
10:00 AM PT |
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | May 14, 2019
KB4499151 | Resolved
KB4505050 | May 18, 2019
02:00 PM PT |
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details > | April 25, 2019
KB4493443 | Resolved
KB4499151 | May 14, 2019
10:00 AM PT |
System may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.
See details > | April 09, 2019
KB4493446 | Resolved
| May 14, 2019
01:22 PM PT |
@@ -49,7 +52,6 @@ sections:
Internet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
See details > | February 12, 2019
KB4487000 | Resolved
KB4487016 | February 19, 2019
02:00 PM PT |
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
See details > | January 08, 2019
KB4480963 | Resolved
KB4487000 | February 12, 2019
10:00 AM PT |
Unable to access hotspots with third-party applications
Third-party applications may have difficulty authenticating hotspots.
See details > | January 08, 2019
KB4480963 | Resolved
KB4480969 | January 15, 2019
10:00 AM PT |
- Unable to use Seek bar in Windows Media Player
Users may not be able to use the Seek bar in Windows Media Player when playing specific files.
See details > | October 09, 2018
KB4462926 | Resolved
KB4471320 | December 11, 2018
10:00 AM PT |
"
@@ -60,6 +62,16 @@ sections:
"
+- title: June 2019
+- items:
+ - type: markdown
+ text: "
+
| Details | Originating update | Status | History |
+ | IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Resolution: This issue was resolved in Preview Rollup KB4503283. If you are using the Internet Explorer cumulative updates, this issue was resolved in KB4508646.
Back to top | May 14, 2019
KB4499151 | Resolved
KB4503283 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 07, 2019
02:57 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503283. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.
Back to top | June 11, 2019
KB4503276 | Resolved
KB4503283 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
+
+ "
+
- title: May 2019
- items:
- type: markdown
@@ -87,6 +99,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
+ Issue using PXE to start a device from WDSAfter installing KB4489881, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4503276.
Back to top | March 12, 2019
KB4489881 | Resolved
KB4503276 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PT |
Custom URI schemes may not start corresponding applicationAfter installing KB4489881, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493446.
Back to top | March 12, 2019
KB4489881 | Resolved
KB4493446 | Resolved:
April 09, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PT |
Devices with winsock kernel client may receive errorAfter installing KB4489881, devices with a winsock kernel client may receive D1, FC, and other errors. Additionally, systems that run the Skype for Business or Lync Server Edge Transport role may be affected by this issue.
Affected platforms: - Client: Windows 8.1
- Server: Windows Server 2012 R2
Resolution: This issue is resolved in KB4489893.
Back to top | March 12, 2019
KB4489881 | Resolved
KB4489893 | Resolved:
March 19, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PT |
@@ -116,12 +129,3 @@ sections:
Unable to access hotspots with third-party applicationsAfter installing KB4480963, third-party applications may have difficulty authenticating hotspots.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue is resolved in KB4480969.
Back to top | January 08, 2019
KB4480963 | Resolved
KB4480969 | Resolved:
January 15, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PT |
"
-
-- title: October 2018
-- items:
- - type: markdown
- text: "
-
| Details | Originating update | Status | History |
- Unable to use Seek bar in Windows Media PlayerAfter installing KB4462926, users may not be able to use the Seek bar in Windows Media Player when playing specific files. This issue does not affect normal playback.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4471320.
Back to top | October 09, 2018
KB4462926 | Resolved
KB4471320 | Resolved:
December 11, 2018
10:00 AM PT
Opened:
October 09, 2018
10:00 AM PT |
-
- "
diff --git a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml
index 44bc53e357..31be3e66fc 100644
--- a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml
+++ b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml
@@ -32,6 +32,7 @@ sections:
- type: markdown
text: "
| Summary | Originating update | Status | Date resolved |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503273 | Resolved
KB4503271 | June 20, 2019
02:00 PM PT |
System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
See details > | April 09, 2019
KB4493471 | Resolved
| May 14, 2019
01:21 PM PT |
System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.
See details > | April 09, 2019
KB4493471 | Resolved
| May 14, 2019
01:19 PM PT |
Authentication may fail for services after the Kerberos ticket expires
Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.
See details > | March 12, 2019
KB4489880 | Resolved
KB4499149 | May 14, 2019
10:00 AM PT |
@@ -41,8 +42,6 @@ sections:
Virtual machines fail to restore
Virtual machines (VMs) may fail to restore successfully if the VM has been saved and restored once before.
See details > | January 08, 2019
KB4480968 | Resolved
KB4490514 | February 19, 2019
02:00 PM PT |
Applications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
See details > | February 12, 2019
KB4487023 | Resolved
KB4487022 | February 19, 2019
02:00 PM PT |
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
See details > | January 08, 2019
KB4480968 | Resolved
KB4487023 | February 12, 2019
10:00 AM PT |
- Local Administrators unable to remotely access shares
Local users who are part of the local Administrators group may not be able to remotely access shares on Windows Server 2008 R2 and Windows 7 machines.
See details > | January 08, 2019
KB4480968 | Resolved
KB4487354 | January 11, 2019
02:00 PM PT |
- Unable to use Seek bar in Windows Media Player
Users may not be able to use the Seek bar in Windows Media Player when playing specific files.
See details > | October 09, 2018
KB4463097 | Resolved
KB4471325 | December 11, 2018
10:00 AM PT |
"
@@ -53,6 +52,15 @@ sections:
"
+- title: June 2019
+- items:
+ - type: markdown
+ text: "
+
| Details | Originating update | Status | History |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503271. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.
Back to top | June 11, 2019
KB4503273 | Resolved
KB4503271 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
+
+ "
+
- title: April 2019
- items:
- type: markdown
@@ -91,15 +99,5 @@ sections:
First character of the Japanese era name not recognized as an abbreviationAfter installing KB4480974, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4489880.
Back to top | January 17, 2019
KB4480974 | Resolved
KB4489880 | Resolved:
March 12, 2019
10:00 AM PT
Opened:
January 17, 2019
10:00 AM PT |
Virtual machines fail to restoreAfter installing KB4480968, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”
This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4490514.
Back to top | January 08, 2019
KB4480968 | Resolved
KB4490514 | Resolved:
February 19, 2019
02:00 PM PT
Opened:
January 08, 2019
10:00 AM PT |
| Applications using Microsoft Jet database fail to open Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if the database has column names greater than 32 characters. The database will fail to open with the error, “Unrecognized Database Format”.
Affected platforms: - Client: Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4487023.
Back to top | January 08, 2019
KB4480968 | Resolved
KB4487023 | Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PT |
-
Local Administrators unable to remotely access sharesLocal users who are part of the local Administrators group may not be able to remotely access shares on Windows Server 2008 R2 and Windows 7 machines after installing KB4480968. This does not affect domain accounts in the local Administrators group.
Affected platforms: - Client: Windows 7 SP1
- Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4487354.
Back to top | January 08, 2019
KB4480968 | Resolved
KB4487354 | Resolved:
January 11, 2019
02:00 PM PT
Opened:
January 08, 2019
10:00 AM PT |
-
- "
-
-- title: October 2018
-- items:
- - type: markdown
- text: "
-
| Details | Originating update | Status | History |
- Unable to use Seek bar in Windows Media PlayerAfter installing KB4463097, users may not be able to use the Seek bar in Windows Media Player when playing specific files. This issue does not affect normal playback.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4471325.
Back to top | October 09, 2018
KB4463097 | Resolved
KB4471325 | Resolved:
December 11, 2018
10:00 AM PT
Opened:
October 09, 2018
10:00 AM PT |
"
diff --git a/windows/release-information/resolved-issues-windows-server-2012.yml b/windows/release-information/resolved-issues-windows-server-2012.yml
index 8e386784dc..15736d25c5 100644
--- a/windows/release-information/resolved-issues-windows-server-2012.yml
+++ b/windows/release-information/resolved-issues-windows-server-2012.yml
@@ -32,6 +32,10 @@ sections:
- type: markdown
text: "
| Summary | Originating update | Status | Date resolved |
+ Some devices and generation 2 Hyper-V VMs may have issues installing updates
Some devices and generation 2 Hyper-V virtual machines (VMs) may have issues installing some updates when Secure Boot is enabled.
See details > | June 11, 2019
KB4503285 | Resolved
KB4503295 | June 21, 2019
02:00 PM PT |
+ IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
See details > | May 14, 2019
KB4499171 | Resolved
KB4503295 | June 21, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503285 | Resolved
KB4503295 | June 20, 2019
02:00 PM PT |
+ Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.
See details > | March 12, 2019
KB4489891 | Resolved
KB4503285 | June 11, 2019
10:00 AM PT |
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | May 14, 2019
KB4499171 | Resolved
KB4505050 | May 18, 2019
02:00 PM PT |
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details > | April 25, 2019
KB4493462 | Resolved
KB4499171 | May 14, 2019
10:00 AM PT |
System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
See details > | April 09, 2019
KB4493451 | Resolved
| May 14, 2019
01:21 PM PT |
@@ -46,7 +50,6 @@ sections:
Applications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
See details > | February 12, 2019
KB4487025 | Resolved
KB4487024 | February 19, 2019
02:00 PM PT |
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
See details > | January 08, 2019
KB4480975 | Resolved
KB4487025 | February 12, 2019
10:00 AM PT |
Unable to access hotspots with third-party applications
Third-party applications may have difficulty authenticating hotspots.
See details > | January 08, 2019
KB4480975 | Resolved
KB4480971 | January 15, 2019
10:00 AM PT |
- Unable to use Seek bar in Windows Media Player
Users may not be able to use the Seek bar in Windows Media Player when playing specific files.
See details > | October 09, 2018
KB4462929 | Resolved
KB4471330 | December 11, 2018
10:00 AM PT |
"
@@ -57,6 +60,17 @@ sections:
"
+- title: June 2019
+- items:
+ - type: markdown
+ text: "
+
| Details | Originating update | Status | History |
+ Some devices and generation 2 Hyper-V VMs may have issues installing updatesSome devices and generation 2 Hyper-V virtual machines (VMs) may have issues installing KB4503285 or later updates when Secure Boot is enabled.
Affected platforms: - Server: Windows Server 2012
Resolution: This issue was resolved in KB4503295. If your device is using Security Only updates, this issue was resolved in KB4508776.
Back to top | June 11, 2019
KB4503285 | Resolved
KB4503295 | Resolved:
June 21, 2019
02:00 PM PT
Opened:
June 19, 2019
04:57 PM PT |
+ | IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Resolution: This issue was resolved in Preview Rollup KB4503295. If you are using the Internet Explorer cumulative updates, this issue was resolved in KB4508646.
Back to top | May 14, 2019
KB4499171 | Resolved
KB4503295 | Resolved:
June 21, 2019
02:00 PM PT
Opened:
June 07, 2019
02:57 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503295. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.
Back to top | June 11, 2019
KB4503285 | Resolved
KB4503295 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
+
+ "
+
- title: May 2019
- items:
- type: markdown
@@ -77,6 +91,15 @@ sections:
"
+- title: March 2019
+- items:
+ - type: markdown
+ text: "
+
| Details | Originating update | Status | History |
+ Issue using PXE to start a device from WDSAfter installing KB4489891, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4503285.
Back to top | March 12, 2019
KB4489891 | Resolved
KB4503285 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PT |
+
+ "
+
- title: February 2019
- items:
- type: markdown
@@ -102,15 +125,6 @@ sections:
"
-- title: October 2018
-- items:
- - type: markdown
- text: "
-
| Details | Originating update | Status | History |
- Unable to use Seek bar in Windows Media PlayerAfter installing KB4462929, users may not be able to use the Seek bar in Windows Media Player when playing specific files. This issue does not affect normal playback.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4471330.
Back to top | October 09, 2018
KB4462929 | Resolved
KB4471330 | Resolved:
December 11, 2018
10:00 AM PT
Opened:
October 09, 2018
10:00 AM PT |
-
- "
-
- title: September 2018
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml
index ce1f513a1a..e81ad9523c 100644
--- a/windows/release-information/status-windows-10-1507.yml
+++ b/windows/release-information/status-windows-10-1507.yml
@@ -29,17 +29,17 @@ sections:
columns: 3
items:
- - href: https://blogs.windows.com/windowsexperience/
+ - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
html: Get the update >
image:
src: https://docs.microsoft.com/media/common/i_deploy.svg
title: Windows 10, version 1903 rollout begins
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064
html: Read about the latest enhancements >
image:
src: https://docs.microsoft.com/media/common/i_whats-new.svg
title: What’s new in Windows Update for Business
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024
html: Get an overview >
image:
src: https://docs.microsoft.com/media/common/i_investigate.svg
@@ -61,7 +61,7 @@ sections:
text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details > | OS Build 10240.18094
January 08, 2019
KB4480962 | Mitigated
| April 25, 2019
02:00 PM PT |
- Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | OS Build 10240.18215
May 14, 2019
KB4499154 | Resolved
KB4505051 | May 19, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 10240.18244
June 11, 2019
KB4503291 | Resolved
KB4507458 | July 09, 2019
10:00 AM PT |
"
@@ -72,12 +72,12 @@ sections:
"
-- title: May 2019
+- title: June 2019
- items:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Unable to access some gov.uk websites After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms: - Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: We have released an \"optional, out-of-band\" update for Windows 10 ( KB4505051) to resolve this issue. If you are affected, we recommend you apply this update by installing KB4505051 from Windows Update and then restarting your device.
This update will not be applied automatically. To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505051, search for it in the Microsoft Update Catalog.
Back to top | OS Build 10240.18215
May 14, 2019
KB4499154 | Resolved
KB4505051 | Resolved:
May 19, 2019
02:00 PM PT
Opened:
May 16, 2019
01:57 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4507458.
Back to top | OS Build 10240.18244
June 11, 2019
KB4503291 | Resolved
KB4507458 | Resolved:
July 09, 2019
10:00 AM PT
Opened:
June 12, 2019
11:11 AM PT |
"
diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
index 9a76c08ad3..7c920cf6b5 100644
--- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
+++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
@@ -29,17 +29,17 @@ sections:
columns: 3
items:
- - href: https://blogs.windows.com/windowsexperience/
+ - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
html: Get the update >
image:
src: https://docs.microsoft.com/media/common/i_deploy.svg
title: Windows 10, version 1903 rollout begins
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064
html: Read about the latest enhancements >
image:
src: https://docs.microsoft.com/media/common/i_whats-new.svg
title: What’s new in Windows Update for Business
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024
html: Get an overview >
image:
src: https://docs.microsoft.com/media/common/i_investigate.svg
@@ -60,18 +60,15 @@ sections:
- type: markdown
text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
- Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 14393.2999
May 23, 2019
KB4499177 | Mitigated
| June 05, 2019
07:51 PM PT |
- Some applications may fail to run as expected on clients of AD FS 2016
Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016)
See details > | OS Build 14393.2941
April 25, 2019
KB4493473 | Mitigated
| June 04, 2019
05:55 PM PT |
- Devices running Windows Server 2016 with Hyper-V seeing Bitlocker error 0xC0210000
Some devices running Windows Server with Hyper-V enabled may start into Bitlocker recovery with error 0xC0210000
See details > | OS Build 14393.2969
May 14, 2019
KB4494440 | Mitigated
| May 23, 2019
09:57 AM PT |
+ Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details > | OS Build 14393.3025
June 11, 2019
KB4503267 | Mitigated
| July 10, 2019
07:09 PM PT |
+ Some applications may fail to run as expected on clients of AD FS 2016
Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016)
See details > | OS Build 14393.2941
April 25, 2019
KB4493473 | Mitigated
| June 07, 2019
04:25 PM PT |
Cluster service may fail if the minimum password length is set to greater than 14
The cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters.
See details > | OS Build 14393.2639
November 27, 2018
KB4467684 | Mitigated
| April 25, 2019
02:00 PM PT |
- Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.
See details > | OS Build 14393.2848
March 12, 2019
KB4489882 | Mitigated
| April 25, 2019
02:00 PM PT |
SCVMM cannot enumerate and manage logical switches deployed on the host
For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host.
See details > | OS Build 14393.2639
November 27, 2018
KB4467684 | Mitigated
| April 25, 2019
02:00 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details > | OS Build 14393.2724
January 08, 2019
KB4480961 | Mitigated
| April 25, 2019
02:00 PM PT |
Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM
Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.
See details > | OS Build 14393.2608
November 13, 2018
KB4467691 | Mitigated
| February 19, 2019
10:00 AM PT |
- Update not showing as applicable through WSUS or SCCM or when manually installed
Update not showing as applicable through WSUS or SCCM or when manually installed
See details > | OS Build 14393.2969
May 14, 2019
KB4494440 | Resolved
KB4498947 | May 14, 2019
10:00 AM PT |
- Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | OS Build 14393.2969
May 14, 2019
KB4494440 | Resolved
KB4505052 | May 19, 2019
02:00 PM PT |
- Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details > | OS Build 14393.2941
April 25, 2019
KB4493473 | Resolved
KB4494440 | May 14, 2019
10:00 AM PT |
- Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.
See details > | OS Build 14393.2941
April 25, 2019
KB4493473 | Resolved
KB4494440 | May 14, 2019
10:00 AM PT |
+ Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.
See details > | OS Build 14393.2969
May 14, 2019
KB4494440 | Resolved
KB4507460 | July 09, 2019
10:00 AM PT |
+ Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.
See details > | OS Build 14393.2999
May 23, 2019
KB4499177 | Resolved
KB4509475 | June 27, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 14393.3025
June 11, 2019
KB4503267 | Resolved
KB4503294 | June 18, 2019
02:00 PM PT |
"
@@ -82,13 +79,23 @@ sections:
"
+- title: July 2019
+- items:
+ - type: markdown
+ text: "
+
| Details | Originating update | Status | History |
+ Devices starting using PXE from a WDS or SCCM servers may fail to startDevices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503267 on a WDS server.
Affected platforms: - Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Workaround: To mitigate this issue on an SCCM server: - Verify Variable Window Extension is enabled.
- Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.
To mitigate this issue on a WDS server without SCCM: - In WDS TFTP settings, verify Variable Window Extension is enabled.
- In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
- In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 14393.3025
June 11, 2019
KB4503267 | Mitigated
| Last updated:
July 10, 2019
07:09 PM PT
Opened:
July 10, 2019
02:51 PM PT |
+
+ "
+
- title: June 2019
- items:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Workaround: To set the Default Search Provider, use the following steps: - Open an Administrator Command prompt and type the following: \"C:\\Program Files\\Internet Explorer\\iexplore.exe\" http://microsoft.com
- After Internet Explorer has opened, go to the Settings menu and select Manage add-ons.
- Select Search Providers in left pane.
- Select the link Find more search providers in the bottom left of the dialog.
- A new Internet Explorer window should open, allowing you to select a search provider.
- Select Add under the Search Provider you prefer.
- The Add Search Provider dialog should open, select Add.
- You should now be able to open Internet Explorer 11 normally.
Next steps: We are working on a resolution and estimate a solution will be available in mid-June.
Back to top | OS Build 14393.2999
May 23, 2019
KB4499177 | Mitigated
| Last updated:
June 05, 2019
07:51 PM PT
Opened:
June 05, 2019
05:49 PM PT |
- Some applications may fail to run as expected on clients of AD FS 2016Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016) after installation of KB4493473 on the server. Applications that may exhibit this behavior use an IFRAME during non-interactive authentication requests and receive X-Frame Options set to DENY.
Affected platforms: - Server: Windows Server 2016
Workaround: You can use the Allow-From value of the header if the IFRAME is only accessing pages from a single-origin URL. On the affected server, open a PowerShell window as an administrator and run the following command: set-AdfsResponseHeaders -SetHeaderName X-Frame-Options -SetHeaderValue \"allow-from https://example.com\"
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 14393.2941
April 25, 2019
KB4493473 | Mitigated
| Last updated:
June 04, 2019
05:55 PM PT
Opened:
June 04, 2019
05:55 PM PT |
+ Some applications may fail to run as expected on clients of AD FS 2016Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016) after installation of KB4493473 on the server. Applications that may exhibit this behavior use an IFRAME during non-interactive authentication requests and receive X-Frame Options set to DENY.
Affected platforms: - Server: Windows Server 2016
Workaround: You can use the Allow-From value of the header if the IFRAME is only accessing pages from a single-origin URL. On the affected server, open a PowerShell window as an administrator and run the following command: set-AdfsResponseHeaders -SetHeaderName X-Frame-Options -SetHeaderValue \"allow-from https://example.com\"
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 14393.2941
April 25, 2019
KB4493473 | Mitigated
| Last updated:
June 07, 2019
04:25 PM PT
Opened:
June 04, 2019
05:55 PM PT |
+ Difficulty connecting to some iSCSI-based SANsDevices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499177. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509475.
Back to top | OS Build 14393.2999
May 23, 2019
KB4499177 | Resolved
KB4509475 | Resolved:
June 27, 2019
02:00 PM PT
Opened:
June 20, 2019
04:46 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503294.
Back to top | OS Build 14393.3025
June 11, 2019
KB4503267 | Resolved
KB4503294 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
"
@@ -97,29 +104,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
- Devices running Windows Server 2016 with Hyper-V seeing Bitlocker error 0xC0210000Some devices running Windows Server 2016 with Hyper-V enabled may enter Bitlocker recovery mode and receive an error, \"0xC0210000\" after installing KB4494440 and restarting.
Note Windows 10, version 1607 may also be affected when Bitlocker and Hyper-V are both enabled.
Affected platforms: - Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2016
Workaround: If your device is already in this state, you can successfully start Windows after suspending Bitlocker from the Windows Recovery Environment (WinRE) using the following steps: - Retrieve the 48 digit Bitlocker recovery password for the OS volume from your organization's portal or from wherever the key was stored when Bitlocker was first enabled.
- From the recovery screen, press the enter key and enter the recovery password when prompted.
- If your device starts in the Windows Recovery Environment and asks for recovery key again, select Skip the drive to continue to WinRE.
- select Advanced options then Troubleshoot then Advanced options then Command Prompt.
- Unlock OS drive using the command: Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by “-“ in 6 digit group>
- Suspend Bitlocker using the command: Manage-bde -protectors -disable c:
- Exit the command window using the command: exit
- Select Continue from recovery environment.
- The device should now start Windows.
- Once started, launch an Administrator Command Prompt and resume the Bitlocker to ensure the system remains protected, using the command: Manage-bde -protectors -enable c:
Note The workaround needs to be followed on every system restart unless Bitlocker is suspended before restarting.
To prevent this issue, execute the following command to temporarily suspend Bitlocker just before restarting the system: Manage-bde -protectors -disable c: -rc 1 Note This command will suspend Bitlocker for 1 restart of the device (-rc 1 option only works inside OS and does not work from recovery environment).
Next steps: Microsoft is presently investigating this issue and will provide an update when available.
Back to top | OS Build 14393.2969
May 14, 2019
KB4494440 | Mitigated
| Last updated:
May 23, 2019
09:57 AM PT
Opened:
May 21, 2019
08:50 AM PT |
- Update not showing as applicable through WSUS or SCCM or when manually installedKB4494440 or later updates may not show as applicable through WSUS or SCCM to the affected platforms. When manually installing the standalone update from Microsoft Update Catalog, it may fail to install with the error, \"The update is not applicable to your computer.\"
Affected platforms: - Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2016
Resolution: The servicing stack update (SSU) ( KB4498947) must be installed before installing the latest cumulative update (LCU). The LCU will not be reported as applicable until the SSU is installed. For more information, see Servicing stack updates.
Back to top | OS Build 14393.2969
May 14, 2019
KB4494440 | Resolved
KB4498947 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
May 24, 2019
04:20 PM PT |
- | Unable to access some gov.uk websites After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms: - Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: We have released an \"optional, out-of-band\" update for Windows 10 ( KB4505052) to resolve this issue. If you are affected, we recommend you apply this update by installing KB4505052 from Windows Update and then restarting your device.
This update will not be applied automatically. To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505052, search for it in the Microsoft Update Catalog.
Back to top | OS Build 14393.2969
May 14, 2019
KB4494440 | Resolved
KB4505052 | Resolved:
May 19, 2019
02:00 PM PT
Opened:
May 16, 2019
01:57 PM PT |
- | Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue has been resolved.
Back to top | OS Build 14393.2941
April 25, 2019
KB4493473 | Resolved
KB4494440 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
May 10, 2019
10:35 AM PT |
-
- "
-
-- title: April 2019
-- items:
- - type: markdown
- text: "
-
| Details | Originating update | Status | History |
- Zone transfers over TCP may failZone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail after installing KB4493473. Affected platforms: - Client: Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4494440.
Back to top | OS Build 14393.2941
April 25, 2019
KB4493473 | Resolved
KB4494440 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
April 25, 2019
02:00 PM PT |
-
- "
-
-- title: March 2019
-- items:
- - type: markdown
- text: "
-
| Details | Originating update | Status | History |
- Issue using PXE to start a device from WDSAfter installing KB4489882, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:
Option 1: Open an Administrator Command prompt and type the following: Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No
-
Option 2: Use the Windows Deployment Services UI to make the following adjustment: - Open Windows Deployment Services from Windows Administrative Tools.
- Expand Servers and right-click a WDS server.
- Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.
Option 3: Set the following registry value to 0: HKLM\\System\\CurrentControlSet\\Services\\WDSServer\\Providers\\WDSTFTP\\EnableVariableWindowExtension
Restart the WDSServer service after disabling the Variable Window Extension.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 14393.2848
March 12, 2019
KB4489882 | Mitigated
| Last updated:
April 25, 2019
02:00 PM PT
Opened:
March 12, 2019
10:00 AM PT |
+ Devices with Hyper-V enabled may receive BitLocker error 0xC0210000Some devices with Hyper-V enabled may enter BitLocker recovery mode and receive an error, \"0xC0210000\" after installing KB4494440 and restarting.
Affected platforms: - Client: Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2016
Resolution: This issue was resolved in KB4507460.
Back to top | OS Build 14393.2969
May 14, 2019
KB4494440 | Resolved
KB4507460 | Resolved:
July 09, 2019
10:00 AM PT
Opened:
May 21, 2019
08:50 AM PT |
"
diff --git a/windows/release-information/status-windows-10-1703.yml b/windows/release-information/status-windows-10-1703.yml
index 9fd4e8cbe6..7bc0807985 100644
--- a/windows/release-information/status-windows-10-1703.yml
+++ b/windows/release-information/status-windows-10-1703.yml
@@ -29,17 +29,17 @@ sections:
columns: 3
items:
- - href: https://blogs.windows.com/windowsexperience/
+ - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
html: Get the update >
image:
src: https://docs.microsoft.com/media/common/i_deploy.svg
title: Windows 10, version 1903 rollout begins
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064
html: Read about the latest enhancements >
image:
src: https://docs.microsoft.com/media/common/i_whats-new.svg
title: What’s new in Windows Update for Business
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024
html: Get an overview >
image:
src: https://docs.microsoft.com/media/common/i_investigate.svg
@@ -60,10 +60,10 @@ sections:
- type: markdown
text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
- Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 15063.1839
May 28, 2019
KB4499162 | Mitigated
| June 05, 2019
07:51 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details > | OS Build 15063.1563
January 08, 2019
KB4480973 | Mitigated
| April 25, 2019
02:00 PM PT |
- Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | OS Build 15063.1805
May 14, 2019
KB4499181 | Resolved
KB4505055 | May 19, 2019
02:00 PM PT |
- Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details > | OS Build 15063.1784
April 25, 2019
KB4493436 | Resolved
KB4499181 | May 14, 2019
10:00 AM PT |
+ Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.
See details > | OS Build 15063.1805
May 14, 2019
KB4499181 | Resolved
KB4507450 | July 09, 2019
10:00 AM PT |
+ Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.
See details > | OS Build 15063.1839
May 28, 2019
KB4499162 | Resolved
KB4509476 | June 26, 2019
04:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 15063.1868
June 11, 2019
KB4503279 | Resolved
KB4503289 | June 18, 2019
02:00 PM PT |
"
@@ -79,7 +79,8 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Workaround: To set the Default Search Provider, use the following steps: - Open an Administrator Command prompt and type the following: \"C:\\Program Files\\Internet Explorer\\iexplore.exe\" http://microsoft.com
- After Internet Explorer has opened, go to the Settings menu and select Manage add-ons.
- Select Search Providers in left pane.
- Select the link Find more search providers in the bottom left of the dialog.
- A new Internet Explorer window should open, allowing you to select a search provider.
- Select Add under the Search Provider you prefer.
- The Add Search Provider dialog should open, select Add.
- You should now be able to open Internet Explorer 11 normally.
Next steps: We are working on a resolution and estimate a solution will be available in mid-June.
Back to top | OS Build 15063.1839
May 28, 2019
KB4499162 | Mitigated
| Last updated:
June 05, 2019
07:51 PM PT
Opened:
June 05, 2019
05:49 PM PT |
+ Difficulty connecting to some iSCSI-based SANsDevices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499162. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509476.
Back to top | OS Build 15063.1839
May 28, 2019
KB4499162 | Resolved
KB4509476 | Resolved:
June 26, 2019
04:00 PM PT
Opened:
June 20, 2019
04:46 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503289.
Back to top | OS Build 15063.1868
June 11, 2019
KB4503279 | Resolved
KB4503289 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
"
@@ -88,8 +89,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Unable to access some gov.uk websites After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms: - Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: We have released an \"optional, out-of-band\" update for Windows 10 ( KB4505055) to resolve this issue. If you are affected, we recommend you apply this update by installing KB4505055 from Windows Update and then restarting your device.
This update will not be applied automatically. To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505055, search for it in the Microsoft Update Catalog.
Back to top | OS Build 15063.1805
May 14, 2019
KB4499181 | Resolved
KB4505055 | Resolved:
May 19, 2019
02:00 PM PT
Opened:
May 16, 2019
01:57 PM PT |
- | Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue has been resolved.
Back to top | OS Build 15063.1784
April 25, 2019
KB4493436 | Resolved
KB4499181 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
May 10, 2019
10:35 AM PT |
+ Devices with Hyper-V enabled may receive BitLocker error 0xC0210000Some devices with Hyper-V enabled may enter BitLocker recovery mode and receive an error, \"0xC0210000\" after installing KB4499181 and restarting.
Affected platforms: - Client: Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2016
Resolution: This issue was resolved in KB4507450.
Back to top | OS Build 15063.1805
May 14, 2019
KB4499181 | Resolved
KB4507450 | Resolved:
July 09, 2019
10:00 AM PT
Opened:
May 21, 2019
08:50 AM PT |
"
diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml
index f02eb933d8..181bfbf128 100644
--- a/windows/release-information/status-windows-10-1709.yml
+++ b/windows/release-information/status-windows-10-1709.yml
@@ -29,17 +29,17 @@ sections:
columns: 3
items:
- - href: https://blogs.windows.com/windowsexperience/
+ - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
html: Get the update >
image:
src: https://docs.microsoft.com/media/common/i_deploy.svg
title: Windows 10, version 1903 rollout begins
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064
html: Read about the latest enhancements >
image:
src: https://docs.microsoft.com/media/common/i_whats-new.svg
title: What’s new in Windows Update for Business
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024
html: Get an overview >
image:
src: https://docs.microsoft.com/media/common/i_investigate.svg
@@ -60,11 +60,10 @@ sections:
- type: markdown
text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
- Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 16299.1182
May 28, 2019
KB4499147 | Mitigated
| June 05, 2019
07:51 PM PT |
+ Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details > | OS Build 16299.1217
June 11, 2019
KB4503284 | Mitigated
| July 10, 2019
07:09 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details > | OS Build 16299.904
January 08, 2019
KB4480978 | Mitigated
| April 25, 2019
02:00 PM PT |
- Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | OS Build 16299.1143
May 14, 2019
KB4498946 | Resolved
KB4505062 | May 19, 2019
02:00 PM PT |
- Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details > | OS Build 16299.1127
April 25, 2019
KB4493440 | Resolved
KB4499179 | May 14, 2019
10:00 AM PT |
- Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.
See details > | OS Build 16299.1127
April 25, 2019
KB4493440 | Resolved
KB4499179 | May 14, 2019
10:00 AM PT |
+ Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.
See details > | OS Build 16299.1182
May 28, 2019
KB4499147 | Resolved
KB4509477 | June 26, 2019
04:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 16299.1217
June 11, 2019
KB4503284 | Resolved
KB4503281 | June 18, 2019
02:00 PM PT |
"
@@ -75,31 +74,22 @@ sections:
"
+- title: July 2019
+- items:
+ - type: markdown
+ text: "
+
| Details | Originating update | Status | History |
+ Devices starting using PXE from a WDS or SCCM servers may fail to startDevices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503284 on a WDS server.
Affected platforms: - Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Workaround: To mitigate this issue on an SCCM server: - Verify Variable Window Extension is enabled.
- Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.
To mitigate this issue on a WDS server without SCCM: - In WDS TFTP settings, verify Variable Window Extension is enabled.
- In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
- In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 16299.1217
June 11, 2019
KB4503284 | Mitigated
| Last updated:
July 10, 2019
07:09 PM PT
Opened:
July 10, 2019
02:51 PM PT |
+
+ "
+
- title: June 2019
- items:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Workaround: To set the Default Search Provider, use the following steps: - Open an Administrator Command prompt and type the following: \"C:\\Program Files\\Internet Explorer\\iexplore.exe\" http://microsoft.com
- After Internet Explorer has opened, go to the Settings menu and select Manage add-ons.
- Select Search Providers in left pane.
- Select the link Find more search providers in the bottom left of the dialog.
- A new Internet Explorer window should open, allowing you to select a search provider.
- Select Add under the Search Provider you prefer.
- The Add Search Provider dialog should open, select Add.
- You should now be able to open Internet Explorer 11 normally.
Next steps: We are working on a resolution and estimate a solution will be available in mid-June.
Back to top | OS Build 16299.1182
May 28, 2019
KB4499147 | Mitigated
| Last updated:
June 05, 2019
07:51 PM PT
Opened:
June 05, 2019
05:49 PM PT |
-
- "
-
-- title: May 2019
-- items:
- - type: markdown
- text: "
-
| Details | Originating update | Status | History |
- | Unable to access some gov.uk websites After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms: - Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolved: We have released an \" out-of-band\" update for Windows 10 ( KB4505062) to resolve this issue.
- UK customers: This update will be applied automatically to resolve this issue. You may be required to restart your device again. If you are affected by this issue, Check for updates to apply the update immediately.
- Customers outside of the UK: This update will not be applied automatically. If you are affected by this issue, we recommend you apply this update by installing KB4505062 from Windows Update and then restarting your device.
To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505062, search for it in the Microsoft Update Catalog.
Back to top | OS Build 16299.1143
May 14, 2019
KB4498946 | Resolved
KB4505062 | Resolved:
May 19, 2019
02:00 PM PT
Opened:
May 16, 2019
01:57 PM PT |
- | Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue has been resolved.
Back to top | OS Build 16299.1127
April 25, 2019
KB4493440 | Resolved
KB4499179 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
May 10, 2019
10:35 AM PT |
-
- "
-
-- title: April 2019
-- items:
- - type: markdown
- text: "
-
| Details | Originating update | Status | History |
- Zone transfers over TCP may failZone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail after installing KB4493440. Affected platforms: - Client: Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4499179.
Back to top | OS Build 16299.1127
April 25, 2019
KB4493440 | Resolved
KB4499179 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
April 25, 2019
02:00 PM PT |
+ Difficulty connecting to some iSCSI-based SANsDevices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499147. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509477.
Back to top | OS Build 16299.1182
May 28, 2019
KB4499147 | Resolved
KB4509477 | Resolved:
June 26, 2019
04:00 PM PT
Opened:
June 20, 2019
04:46 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503281.
Back to top | OS Build 16299.1217
June 11, 2019
KB4503284 | Resolved
KB4503281 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
"
diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml
index f2d6cb0948..1f39a3eeff 100644
--- a/windows/release-information/status-windows-10-1803.yml
+++ b/windows/release-information/status-windows-10-1803.yml
@@ -29,17 +29,17 @@ sections:
columns: 3
items:
- - href: https://blogs.windows.com/windowsexperience/
+ - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
html: Get the update >
image:
src: https://docs.microsoft.com/media/common/i_deploy.svg
title: Windows 10, version 1903 rollout begins
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064
html: Read about the latest enhancements >
image:
src: https://docs.microsoft.com/media/common/i_whats-new.svg
title: What’s new in Windows Update for Business
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024
html: Get an overview >
image:
src: https://docs.microsoft.com/media/common/i_investigate.svg
@@ -60,12 +60,11 @@ sections:
- type: markdown
text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
- Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 17134.799
May 21, 2019
KB4499183 | Mitigated
| June 05, 2019
07:51 PM PT |
- Issue using PXE to start a device from WDS
Using PXE to start a device from a WDS server configured to use Variable Window Extension may cause the connection to the WDS server to terminate prematurely.
See details > | OS Build 17134.648
March 12, 2019
KB4489868 | Mitigated
| April 25, 2019
02:00 PM PT |
+ Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details > | OS Build 17134.829
June 11, 2019
KB4503286 | Mitigated
| July 10, 2019
07:09 PM PT |
+ Startup to a black screen after installing updates
Your device may startup to a black screen during the first logon after installing updates.
See details > | OS Build 17134.829
June 11, 2019
KB4503286 | Mitigated
| June 14, 2019
04:41 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details > | OS Build 17134.523
January 08, 2019
KB4480966 | Mitigated
| April 25, 2019
02:00 PM PT |
- Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | OS Build 17134.765
May 14, 2019
KB4499167 | Resolved
KB4505064 | May 19, 2019
02:00 PM PT |
- Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details > | OS Build 17134.753
April 25, 2019
KB4493437 | Resolved
KB4499167 | May 14, 2019
10:00 AM PT |
- Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.
See details > | OS Build 17134.753
April 25, 2019
KB4493437 | Resolved
KB4499167 | May 14, 2019
10:00 AM PT |
+ Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.
See details > | OS Build 17134.799
May 21, 2019
KB4499183 | Resolved
KB4509478 | June 26, 2019
04:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 17134.829
June 11, 2019
KB4503286 | Resolved
KB4503288 | June 18, 2019
02:00 PM PT |
"
@@ -76,41 +75,23 @@ sections:
"
+- title: July 2019
+- items:
+ - type: markdown
+ text: "
+
| Details | Originating update | Status | History |
+ Devices starting using PXE from a WDS or SCCM servers may fail to startDevices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503286 on a WDS server.
Affected platforms: - Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Workaround: To mitigate this issue on an SCCM server: - Verify Variable Window Extension is enabled.
- Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.
To mitigate this issue on a WDS server without SCCM: - In WDS TFTP settings, verify Variable Window Extension is enabled.
- In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
- In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 17134.829
June 11, 2019
KB4503286 | Mitigated
| Last updated:
July 10, 2019
07:09 PM PT
Opened:
July 10, 2019
02:51 PM PT |
+
+ "
+
- title: June 2019
- items:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Workaround: To set the Default Search Provider, use the following steps: - Open an Administrator Command prompt and type the following: \"C:\\Program Files\\Internet Explorer\\iexplore.exe\" http://microsoft.com
- After Internet Explorer has opened, go to the Settings menu and select Manage add-ons.
- Select Search Providers in left pane.
- Select the link Find more search providers in the bottom left of the dialog.
- A new Internet Explorer window should open, allowing you to select a search provider.
- Select Add under the Search Provider you prefer.
- The Add Search Provider dialog should open, select Add.
- You should now be able to open Internet Explorer 11 normally.
Next steps: We are working on a resolution and estimate a solution will be available in mid-June.
Back to top | OS Build 17134.799
May 21, 2019
KB4499183 | Mitigated
| Last updated:
June 05, 2019
07:51 PM PT
Opened:
June 05, 2019
05:49 PM PT |
-
- "
-
-- title: May 2019
-- items:
- - type: markdown
- text: "
-
| Details | Originating update | Status | History |
- | Unable to access some gov.uk websites After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms: - Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolved: We have released an \" out-of-band\" update for Windows 10 ( KB4505064) to resolve this issue.
- UK customers: This update will be applied automatically to resolve this issue. You may be required to restart your device again. If you are affected by this issue, Check for updates to apply the update immediately.
- Customers outside of the UK: This update will not be applied automatically. If you are affected by this issue, we recommend you apply this update by installing KB4505064 from Windows Update and then restarting your device.
To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505064, search for it in the Microsoft Update Catalog.
Back to top | OS Build 17134.765
May 14, 2019
KB4499167 | Resolved
KB4505064 | Resolved:
May 19, 2019
02:00 PM PT
Opened:
May 16, 2019
01:57 PM PT |
- | Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue has been resolved.
Back to top | OS Build 17134.753
April 25, 2019
KB4493437 | Resolved
KB4499167 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
May 10, 2019
10:35 AM PT |
-
- "
-
-- title: April 2019
-- items:
- - type: markdown
- text: "
-
| Details | Originating update | Status | History |
- Zone transfers over TCP may failZone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail after installing KB4493437. Affected platforms: - Client: Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4499167.
Back to top | OS Build 17134.753
April 25, 2019
KB4493437 | Resolved
KB4499167 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
April 25, 2019
02:00 PM PT |
-
- "
-
-- title: March 2019
-- items:
- - type: markdown
- text: "
-
| Details | Originating update | Status | History |
- Issue using PXE to start a device from WDSAfter installing KB4489868, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:
Option 1: Open an Administrator Command prompt and type the following: Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No
-
Option 2: Use the Windows Deployment Services UI to make the following adjustment: - Open Windows Deployment Services from Windows Administrative Tools.
- Expand Servers and right-click a WDS server.
- Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.
Option 3: Set the following registry value to 0: HKLM\\System\\CurrentControlSet\\Services\\WDSServer\\Providers\\WDSTFTP\\EnableVariableWindowExtension
Restart the WDSServer service after disabling the Variable Window Extension. Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 17134.648
March 12, 2019
KB4489868 | Mitigated
| Last updated:
April 25, 2019
02:00 PM PT
Opened:
March 12, 2019
10:00 AM PT |
+ | Startup to a black screen after installing updates We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803
- Server: Windows Server 2019
Workaround: To mitigate this issue, press Ctrl+Alt+Delete, then select the Power button in the lower right corner of the screen and select Restart. Your device should now restart normally.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 17134.829
June 11, 2019
KB4503286 | Mitigated
| Last updated:
June 14, 2019
04:41 PM PT
Opened:
June 14, 2019
04:41 PM PT |
+ Difficulty connecting to some iSCSI-based SANsDevices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499183. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509478.
Back to top | OS Build 17134.799
May 21, 2019
KB4499183 | Resolved
KB4509478 | Resolved:
June 26, 2019
04:00 PM PT
Opened:
June 20, 2019
04:46 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503288.
Back to top | OS Build 17134.829
June 11, 2019
KB4503286 | Resolved
KB4503288 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
"
diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
index dabae3539b..ef9a99126b 100644
--- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
+++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
@@ -34,17 +34,17 @@ sections:
columns: 3
items:
- - href: https://blogs.windows.com/windowsexperience/
+ - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
html: Get the update >
image:
src: https://docs.microsoft.com/media/common/i_deploy.svg
title: Windows 10, version 1903 rollout begins
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064
html: Read about the latest enhancements >
image:
src: https://docs.microsoft.com/media/common/i_whats-new.svg
title: What’s new in Windows Update for Business
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024
html: Get an overview >
image:
src: https://docs.microsoft.com/media/common/i_investigate.svg
@@ -65,18 +65,14 @@ sections:
- type: markdown
text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
- Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 17763.529
May 21, 2019
KB4497934 | Mitigated
| June 05, 2019
07:51 PM PT |
+ Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details > | OS Build 17763.557
June 11, 2019
KB4503327 | Mitigated
| July 10, 2019
07:09 PM PT |
+ Startup to a black screen after installing updates
Your device may startup to a black screen during the first logon after installing updates.
See details > | OS Build 17763.557
June 11, 2019
KB4503327 | Mitigated
| June 14, 2019
04:41 PM PT |
Devices with some Asian language packs installed may receive an error
After installing the KB4493509 devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_F
See details > | OS Build 17763.437
April 09, 2019
KB4493509 | Mitigated
| May 03, 2019
10:59 AM PT |
- Printing from Microsoft Edge or other UWP apps, you may receive the error 0x80070007
Attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications, you may receive an error.
See details > | OS Build 17763.379
March 12, 2019
KB4489899 | Mitigated
| May 02, 2019
04:47 PM PT |
- Issue using PXE to start a device from WDS
Using PXE to start a device from a WDS server configured to use Variable Window Extension may cause the connection to the WDS server to terminate prematurely.
See details > | OS Build 17763.379
March 12, 2019
KB4489899 | Mitigated
| April 09, 2019
10:00 AM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details > | OS Build 17763.253
January 08, 2019
KB4480116 | Mitigated
| April 09, 2019
10:00 AM PT |
- Audio not working on monitors or TV connected to a PC via HDMI, USB, or DisplayPort
Upgrade block: Microsoft has identified issues with certain new Intel display drivers, which accidentally turn on unsupported features in Windows.
See details > | OS Build 17763.134
November 13, 2018
KB4467708 | Resolved
| May 21, 2019
07:42 AM PT |
- Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | OS Build 17763.503
May 14, 2019
KB4494441 | Resolved
KB4505056 | May 19, 2019
02:00 PM PT |
- Windows 10, version 1809 update history may show an update installed twice
Some customers are reporting that KB4494441 installed twice on their device
See details > | OS Build 17763.503
May 14, 2019
KB4494441 | Resolved
| May 16, 2019
02:37 PM PT |
- Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details > | OS Build 17763.475
May 03, 2019
KB4495667 | Resolved
KB4494441 | May 14, 2019
10:00 AM PT |
- Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.
See details > | OS Build 17763.475
May 03, 2019
KB4495667 | Resolved
KB4494441 | May 14, 2019
10:00 AM PT |
- Latest cumulative update (KB 4495667) installs automatically
Reports that the optional cumulative update (KB 4495667) installs automatically.
See details > | OS Build 17763.475
May 03, 2019
KB4495667 | Resolved
| May 08, 2019
03:37 PM PT |
- System may be unresponsive after restart if ArcaBit antivirus software installed
After further investigation ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809
See details > | OS Build 17763.437
April 09, 2019
KB4493509 | Resolved
| May 08, 2019
03:30 PM PT |
+ Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.
See details > | OS Build 17763.529
May 21, 2019
KB4497934 | Resolved
KB4509479 | June 26, 2019
04:00 PM PT |
+ Devices with Realtek Bluetooth radios drivers may not pair or connect as expected
Devices with some Realtek Bluetooth radios drivers, in some circumstances, may have issues pairing or connecting to devices.
See details > | OS Build 17763.503
May 14, 2019
KB4494441 | Resolved
KB4501371 | June 18, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 17763.557
June 11, 2019
KB4503327 | Resolved
KB4501371 | June 18, 2019
02:00 PM PT |
+ Printing from Microsoft Edge or other UWP apps may result in the error 0x80070007
Attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) apps, you may receive an error.
See details > | OS Build 17763.379
March 12, 2019
KB4489899 | Resolved
KB4501371 | June 18, 2019
02:00 PM PT |
"
@@ -87,12 +83,24 @@ sections:
"
+- title: July 2019
+- items:
+ - type: markdown
+ text: "
+
| Details | Originating update | Status | History |
+ Devices starting using PXE from a WDS or SCCM servers may fail to startDevices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503327 on a WDS server.
Affected platforms: - Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Workaround: To mitigate this issue on an SCCM server: - Verify Variable Window Extension is enabled.
- Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.
To mitigate this issue on a WDS server without SCCM: - In WDS TFTP settings, verify Variable Window Extension is enabled.
- In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
- In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 17763.557
June 11, 2019
KB4503327 | Mitigated
| Last updated:
July 10, 2019
07:09 PM PT
Opened:
July 10, 2019
02:51 PM PT |
+
+ "
+
- title: June 2019
- items:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Workaround: To set the Default Search Provider, use the following steps: - Open an Administrator Command prompt and type the following: \"C:\\Program Files\\Internet Explorer\\iexplore.exe\" http://microsoft.com
- After Internet Explorer has opened, go to the Settings menu and select Manage add-ons.
- Select Search Providers in left pane.
- Select the link Find more search providers in the bottom left of the dialog.
- A new Internet Explorer window should open, allowing you to select a search provider.
- Select Add under the Search Provider you prefer.
- The Add Search Provider dialog should open, select Add.
- You should now be able to open Internet Explorer 11 normally.
Next steps: We are working on a resolution and estimate a solution will be available in mid-June.
Back to top | OS Build 17763.529
May 21, 2019
KB4497934 | Mitigated
| Last updated:
June 05, 2019
07:51 PM PT
Opened:
June 05, 2019
05:49 PM PT |
+ | Startup to a black screen after installing updates We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803
- Server: Windows Server 2019
Workaround: To mitigate this issue, press Ctrl+Alt+Delete, then select the Power button in the lower right corner of the screen and select Restart. Your device should now restart normally.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 17763.557
June 11, 2019
KB4503327 | Mitigated
| Last updated:
June 14, 2019
04:41 PM PT
Opened:
June 14, 2019
04:41 PM PT |
+ Difficulty connecting to some iSCSI-based SANsDevices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4497934. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509479.
Back to top | OS Build 17763.529
May 21, 2019
KB4497934 | Resolved
KB4509479 | Resolved:
June 26, 2019
04:00 PM PT
Opened:
June 20, 2019
04:46 PM PT |
+ | Devices with Realtek Bluetooth radios drivers may not pair or connect as expected In some circumstances, devices with Realtek Bluetooth radios may have issues pairing or connecting to Bluetooth devices due to a driver issue.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
- Server: Windows Server 2019
Resolution: This issue was resolved in KB4501371.
Back to top | OS Build 17763.503
May 14, 2019
KB4494441 | Resolved
KB4501371 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 14, 2019
05:45 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4501371.
Back to top | OS Build 17763.557
June 11, 2019
KB4503327 | Resolved
KB4501371 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
"
@@ -102,31 +110,7 @@ sections:
text: "
| Details | Originating update | Status | History |
Devices with some Asian language packs installed may receive an errorAfter installing the April 2019 Cumulative Update ( KB4493509), devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
- Server: Windows Server, version 1809; Windows Server 2019
Workaround: - Uninstall and reinstall any recently added language packs. For instructions, see \"Manage the input and display language settings in Windows 10\".
- Click Check for Updates and install the April 2019 Cumulative Update. For instructions, see \"Update Windows 10\".
Note: If reinstalling the language pack does not mitigate the issue, reset your PC as follows: - Go to Settings app -> Recovery.
- Click on Get Started under \"Reset this PC\" recovery option.
- Select \"Keep my Files\".
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 17763.437
April 09, 2019
KB4493509 | Mitigated
| Last updated:
May 03, 2019
10:59 AM PT
Opened:
May 02, 2019
04:36 PM PT |
- | Printing from Microsoft Edge or other UWP apps, you may receive the error 0x80070007 When attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications you may receive the error, \"Your printer has experienced an unexpected configuration problem. 0x80070007e.\" Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
- Server: Windows Server, version 1809; Windows Server 2019
Workaround: You can use another browser, such as Internet Explorer to print your documents. Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 17763.379
March 12, 2019
KB4489899 | Mitigated
| Last updated:
May 02, 2019
04:47 PM PT
Opened:
May 02, 2019
04:47 PM PT |
- | Unable to access some gov.uk websites After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms: - Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolved: We have released an \" out-of-band\" update for Windows 10 ( KB4505056) to resolve this issue.
- UK customers: This update will be applied automatically to resolve this issue. You may be required to restart your device again. If you are affected by this issue, Check for updates to apply the update immediately.
- Customers outside of the UK: This update will not be applied automatically. If you are affected by this issue, we recommend you apply this update by installing KB4505056 from Windows Update and then restarting your device.
To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505056, search for it in the Microsoft Update Catalog.
Back to top | OS Build 17763.503
May 14, 2019
KB4494441 | Resolved
KB4505056 | Resolved:
May 19, 2019
02:00 PM PT
Opened:
May 16, 2019
01:57 PM PT |
- | Windows 10, version 1809 update history may show an update installed twice Affected platforms: - Client: Windows 10, version 1809
Cause: In certain situations, installing an update requires multiple download and restart steps. In cases where two intermediate steps of the installation complete successfully, the View your Update history page will report that installation completed successfully twice.
Resolution: No action is required on your part. The update installation may take longer and may require more than one restart, but will install successfully after all intermediate installation steps have completed. We are working on improving this update experience to ensure the Update history correctly reflects the installation of the latest cumulative update (LCU).
Back to top | OS Build 17763.503
May 14, 2019
KB4494441 | Resolved
| Resolved:
May 16, 2019
02:37 PM PT
Opened:
May 14, 2019
02:56 PM PT |
- | Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue has been resolved.
Back to top | OS Build 17763.475
May 03, 2019
KB4495667 | Resolved
KB4494441 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
May 10, 2019
10:35 AM PT |
- Zone transfers over TCP may failZone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail after installing KB4495667. Affected platforms: - Client: Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4494441.
Back to top | OS Build 17763.475
May 03, 2019
KB4495667 | Resolved
KB4494441 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
May 14, 2019
01:19 PM PT |
- Latest cumulative update (KB 4495667) installs automaticallyDue to a servicing side issue some users were offered KB4495667 (optional update) automatically and rebooted devices. This issue has been mitigated.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
- Server: Windows Server, version 1809; Windows Server 2019
Resolution:: This issue has been mitigated on the servicing side to prevent auto installing of this update. Customers do not need to take any action.
Back to top | OS Build 17763.475
May 03, 2019
KB4495667 | Resolved
| Resolved:
May 08, 2019
03:37 PM PT
Opened:
May 05, 2019
12:01 PM PT |
-
- "
-
-- title: April 2019
-- items:
- - type: markdown
- text: "
-
| Details | Originating update | Status | History |
- | System may be unresponsive after restart if ArcaBit antivirus software installed ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809 (client or server).
Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: ArcaBit has released an update to address this issue for affected platforms. For more information, see the ArcaBit support article.
Resolution: This issue has been resolved. ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809 (client or server).
Back to top | OS Build 17763.437
April 09, 2019
KB4493509 | Resolved
| Resolved:
May 08, 2019
03:30 PM PT
Opened:
April 09, 2019
10:00 AM PT |
-
- "
-
-- title: March 2019
-- items:
- - type: markdown
- text: "
-
| Details | Originating update | Status | History |
- Issue using PXE to start a device from WDSAfter installing KB4489899, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:
Option 1: Open an Administrator Command prompt and type the following: Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No
-
Option 2: Use the Windows Deployment Services UI to make the following adjustment: - Open Windows Deployment Services from Windows Administrative Tools.
- Expand Servers and right-click a WDS server.
- Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.
Option 3: Set the following registry value to 0: HKLM\\System\\CurrentControlSet\\Services\\WDSServer\\Providers\\WDSTFTP\\EnableVariableWindowExtension
Restart the WDSServer service after disabling the Variable Window Extension.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 17763.379
March 12, 2019
KB4489899 | Mitigated
| Last updated:
April 09, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PT |
+ | Printing from Microsoft Edge or other UWP apps may result in the error 0x80070007 When attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications you may receive the error, \"Your printer has experienced an unexpected configuration problem. 0x80070007e.\" Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
- Server: Windows Server, version 1809; Windows Server 2019
Resolution: This issue was resolved in KB4501371.
Back to top | OS Build 17763.379
March 12, 2019
KB4489899 | Resolved
KB4501371 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
May 02, 2019
04:47 PM PT |
"
@@ -138,12 +122,3 @@ sections:
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following: - Perform the operation from a process that has administrator privilege.
- Perform the operation from a node that doesn’t have CSV ownership.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 17763.253
January 08, 2019
KB4480116 | Mitigated
| Last updated:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PT |
"
-
-- title: November 2018
-- items:
- - type: markdown
- text: "
-
| Details | Originating update | Status | History |
- | Audio not working on monitors or TV connected to a PC via HDMI, USB, or DisplayPort Upgrade block: Microsoft has identified issues with certain new Intel display drivers. Intel inadvertently released versions of its display driver (versions 24.20.100.6344, 24.20.100.6345) to OEMs that accidentally turned on unsupported features in Windows. As a result, after updating to Windows 10, version 1809, audio playback from a monitor or television connected to a PC via HDMI, USB-C, or a DisplayPort may not function correctly on devices with these drivers. Note: This Intel display driver issue is different from the Intel Smart Sound Technology driver (version 09.21.00.3755) audio issue previously documented.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
- Server: Windows Server, version 1809; Windows Server 2019
Next steps: Intel has released updated drivers to OEM device manufacturers. OEMs need to make the updated driver available via Windows Update. For more information, see the Intel Customer Support article.
Resolution: Microsoft has removed the safeguard hold.
Back to top | OS Build 17763.134
November 13, 2018
KB4467708 | Resolved
| Resolved:
May 21, 2019
07:42 AM PT
Opened:
November 13, 2018
10:00 AM PT |
-
- "
diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml
index d00e89505d..1592d8901e 100644
--- a/windows/release-information/status-windows-10-1903.yml
+++ b/windows/release-information/status-windows-10-1903.yml
@@ -21,8 +21,9 @@ sections:
Find information on known issues for Windows 10, version 1903 and Windows Server, version 1903. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
-Current status as of June 6, 2019:
- Windows 10, version 1903 is available for any user who manually selects “Check for updates” via Windows Update. The recommended servicing status is Semi-Annual Channel. Note follow @WindowsUpdate to find out when new content is published to the release information dashboard. | Current status as of June 18, 2019:
+ Windows 10, version 1903 is available for any user who manually selects “Check for updates” via Windows Update for all devices that do not have a safeguard hold. If you are not offered the update, please check below for any known issues that may affect your device. The recommended servicing status is Semi-Annual Channel. We are now beginning to build and train the machine learning (ML) based rollout process to update devices running the April 2018 Update, and earlier versions of Windows 10, to ensure we can continue to service these devices and provide the latest updates, security updates and improvements. Note Follow @WindowsUpdate to find out when new content is published to the release information dashboard. |
"
@@ -34,17 +35,17 @@ sections:
columns: 3
items:
- - href: https://blogs.windows.com/windowsexperience/
+ - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
html: Get the update >
image:
src: https://docs.microsoft.com/media/common/i_deploy.svg
title: Windows 10, version 1903 rollout begins
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064
html: Read about the latest enhancements >
image:
src: https://docs.microsoft.com/media/common/i_whats-new.svg
title: What’s new in Windows Update for Business
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024
html: Get an overview >
image:
src: https://docs.microsoft.com/media/common/i_investigate.svg
@@ -65,20 +66,19 @@ sections:
- type: markdown
text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
- Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language was changed between updates
See details > | OS Build 18362.116
May 20, 2019
KB4505057 | Investigating
| June 06, 2019
11:05 AM PT |
- Loss of functionality in Dynabook Smartphone Link app
After updating to Windows 10, version 1903, you may experience a loss of functionality when using the Dynabook Smartphone Link application.
See details > | OS Build 18362.116
May 20, 2019
KB4505057 | Investigating
| May 24, 2019
03:10 PM PT |
+ Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language was changed between updates
See details > | OS Build 18362.116
May 20, 2019
KB4505057 | Investigating
| June 10, 2019
06:06 PM PT |
Display brightness may not respond to adjustments
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Investigating
| May 21, 2019
04:47 PM PT |
- Audio not working with Dolby Atmos headphones and home theater
Users may experience audio loss with Dolby Atmos headphones or Dolby Atmos home theater.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Investigating
| May 21, 2019
07:17 AM PT |
+ Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details > | OS Build 18362.175
June 11, 2019
KB4503293 | Mitigated
| July 10, 2019
07:09 PM PT |
+ RASMAN service may stop working and result in the error “0xc0000005”
The Remote Access Connection Manager (RASMAN) service may stop working and result in the error “0xc0000005” with VPN profiles configured as an Always On VPN connection.
See details > | OS Build 18362.145
May 29, 2019
KB4497935 | Mitigated
| July 01, 2019
05:04 PM PT |
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Mitigated
| May 24, 2019
11:02 AM PT |
Unable to discover or connect to Bluetooth devices
Microsoft has identified compatibility issues with some versions of Realtek and Qualcomm Bluetooth radio drivers.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Mitigated
| May 21, 2019
04:48 PM PT |
Intel Audio displays an intcdaud.sys notification
Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in battery drain.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Mitigated
| May 21, 2019
04:47 PM PT |
Cannot launch Camera app
Microsoft and Intel have identified an issue affecting Intel RealSense SR300 or Intel RealSense S200 camera apps.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Mitigated
| May 21, 2019
04:47 PM PT |
Intermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Mitigated
| May 21, 2019
04:46 PM PT |
- Older versions of BattlEye anti-cheat software incompatible
Microsoft and BattlEye have identified a compatibility issue with some games that use older versions of BattlEye anti-cheat software.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
| June 06, 2019
01:33 PM PT |
- Duplicate folders and documents showing in user profile directory
If known folders (e.g. Desktop, Documents, or Pictures folders) are redirected, an empty folder with that same name may be created.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
KB4497935 | May 29, 2019
02:00 PM PT |
- AMD RAID driver incompatibility
Installation process may stop when trying to install Windows 10, version 1903 update on computers that run certain versions of AMD RAID drivers.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
| June 06, 2019
11:06 AM PT |
- Error attempting to update with external USB device or memory card attached
PCs with an external USB device or SD memory card attached may get error: \"This PC can't be upgraded to Windows 10.\"
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
KB4497935 | May 29, 2019
02:00 PM PT |
- D3D applications and games may fail to enter full-screen mode on rotated displays
Some Direct3D (D3D) applications and games may fail to enter full-screen mode on rotated displays.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
KB4497935 | May 29, 2019
02:00 PM PT |
+ Loss of functionality in Dynabook Smartphone Link app
After updating to Windows 10, version 1903, you may experience a loss of functionality when using the Dynabook Smartphone Link application.
See details > | OS Build 18362.116
May 20, 2019
KB4505057 | Resolved
| July 11, 2019
01:54 PM PT |
+ Audio not working with Dolby Atmos headphones and home theater
Users may experience audio loss with Dolby Atmos headphones or Dolby Atmos home theater.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
| July 11, 2019
01:53 PM PT |
+ Error attempting to update with external USB device or memory card attached
PCs with an external USB device or SD memory card attached may get error: \"This PC can't be upgraded to Windows 10.\"
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
| July 11, 2019
01:53 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 18362.175
June 11, 2019
KB4503293 | Resolved
KB4501375 | June 27, 2019
10:00 AM PT |
"
@@ -89,24 +89,39 @@ sections:
"
+- title: July 2019
+- items:
+ - type: markdown
+ text: "
+
| Details | Originating update | Status | History |
+ Devices starting using PXE from a WDS or SCCM servers may fail to startDevices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503293 on a WDS server.
Affected platforms: - Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Workaround: To mitigate this issue on an SCCM server: - Verify Variable Window Extension is enabled.
- Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.
To mitigate this issue on a WDS server without SCCM: - In WDS TFTP settings, verify Variable Window Extension is enabled.
- In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
- In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 18362.175
June 11, 2019
KB4503293 | Mitigated
| Last updated:
July 10, 2019
07:09 PM PT
Opened:
July 10, 2019
02:51 PM PT |
+
+ "
+
+- title: June 2019
+- items:
+ - type: markdown
+ text: "
+
| Details | Originating update | Status | History |
+ | RASMAN service may stop working and result in the error “0xc0000005” The Remote Access Connection Manager (RASMAN) service may stop working and you may receive the error “0xc0000005” on devices where the diagnostic data level is manually configured to the non-default setting of 0. You may also receive an error in the Application section of Windows Logs in Event Viewer with Event ID 1000 referencing “svchost.exe_RasMan” and “rasman.dll”.
This issue only occurs when a VPN profile is configured as an Always On VPN (AOVPN) connection with or without device tunnel. This does not affect manual only VPN profiles or connections.
Affected platforms - Client: Windows 10, version 1903
Workaround: To mitigate this issue, use one of the steps below, either the group policy step or the registry step, to configure one of the default telemetry settings:
Set the value for the following group policy settings: - Group Policy Path: Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Allow Telemetry
- Safe Policy Setting: Enabled and set to 1 (Basic) or 2 (Enhanced) or 3 (Full)
Or set the following registry value: SubKey: HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection Setting: AllowTelemetry Type: REG_DWORD Value: 1, 2 or 3
Note If the Remote Access Connection Manager service is not running after setting the Group Policy or registry key, you will need to manually start the service or restart the device.
Next Steps: We are working on a resolution and estimate a solution will be available in late July.
Back to top | OS Build 18362.145
May 29, 2019
KB4497935 | Mitigated
| Last updated:
July 01, 2019
05:04 PM PT
Opened:
June 28, 2019
05:01 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4501375.
Back to top | OS Build 18362.175
June 11, 2019
KB4503293 | Resolved
KB4501375 | Resolved:
June 27, 2019
10:00 AM PT
Opened:
June 12, 2019
11:11 AM PT |
+
+ "
+
- title: May 2019
- items:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Windows Sandbox may fail to start with error code “0x80070002” Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.
Affected platforms: - Client: Windows 10, version 1903
Next steps: We are working on a resolution and estimate a solution will be available mid-to-late June.
Back to top | OS Build 18362.116
May 20, 2019
KB4505057 | Investigating
| Last updated:
June 06, 2019
11:05 AM PT
Opened:
May 24, 2019
04:20 PM PT |
- | Loss of functionality in Dynabook Smartphone Link app Some users may experience a loss of functionality after updating to Windows 10, version 1903 when using the Dynabook Smartphone Link application on Windows devices. Loss of functionality may affect the display of phone numbers in the Call menu and the ability to answer phone calls on the Windows PC.
To safeguard your update experience, we have applied a compatibility hold on devices with Dynabook Smartphone Link from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms: - Client: Windows 10, version 1903
Next steps: Microsoft and Dynabook are working on a resolution; the Dynabook Smartphone Link application may have a loss of functionality until this issue is resolved.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Back to top | OS Build 18362.116
May 20, 2019
KB4505057 | Investigating
| Last updated:
May 24, 2019
03:10 PM PT
Opened:
May 24, 2019
03:10 PM PT |
+ | Windows Sandbox may fail to start with error code “0x80070002” Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.
Affected platforms: - Client: Windows 10, version 1903
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 18362.116
May 20, 2019
KB4505057 | Investigating
| Last updated:
June 10, 2019
06:06 PM PT
Opened:
May 24, 2019
04:20 PM PT |
| Display brightness may not respond to adjustments Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers. After updating to Window 10, version 1903, brightness settings may sometime appear as if changes applied took effect, yet the actual display brightness doesn't change.
To safeguard your update experience, we have applied a compatibility hold on devices with certain Intel drivers from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms: - Client: Windows 10, version 1903
Workaround: Restart your device to apply changes to brightness.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Next steps: We are working on a resolution that will be made available in upcoming release.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Investigating
| Last updated:
May 21, 2019
04:47 PM PT
Opened:
May 21, 2019
07:56 AM PT |
- | Audio not working with Dolby Atmos headphones and home theater After updating to Windows 10, version 1903, you may experience loss of audio with Dolby Atmos for home theater (free extension) or Dolby Atmos for headphones (paid extension) acquired through the Microsoft Store due to a licensing configuration error. This occurs due to an issue with a Microsoft Store licensing component, where license holders are not able to connect to the Dolby Access app and enable Dolby Atmos extensions. To safeguard your update experience, we have applied protective hold on devices from being offered Windows 10, version 1903 until this issue is resolved. This configuration error will not result in loss of access for the acquired license once the problem is resolved.
Affected platforms: - Client: Windows 10, version 1903
Next steps: We are working on a resolution for Microsoft Store and estimate a solution will be available in mid-June. Note We recommend you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Investigating
| Last updated:
May 21, 2019
07:17 AM PT
Opened:
May 21, 2019
07:16 AM PT |
| Gamma ramps, color profiles, and night light settings do not apply in some cases Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.
Microsoft has identified some scenarios where night light settings may stop working, for example: - Connecting to (or disconnecting from) an external monitor, dock, or projector
- Rotating the screen
- Updating display drivers or making other display mode changes
- Closing full screen applications
- Applying custom color profiles
- Running applications that rely on custom gamma ramps
Affected platforms: - Client: Windows 10, version 1903
Workaround: If you find that your night light has stopped working, try turning the night light off and on, or restarting your computer. For other color setting issues, restart your computer to correct the issue.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Mitigated
| Last updated:
May 24, 2019
11:02 AM PT
Opened:
May 21, 2019
07:28 AM PT |
| Unable to discover or connect to Bluetooth devices Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek and Qualcomm. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek or Qualcomm Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.
Affected platforms: - Client: Windows 10, version 1903
- Server: Windows Server, version 1903
Workaround: Check with your device manufacturer (OEM) to see if an updated driver is available and install it.
- For Qualcomm drivers, you will need to install a driver version greater than 10.0.1.11.
- For Realtek drivers, you will need to install a driver version greater than 1.5.1011.0.
Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool.
Next steps: Microsoft is working with Realtek and Qualcomm to release new drivers for all affected system via Windows Update.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Mitigated
| Last updated:
May 21, 2019
04:48 PM PT
Opened:
May 21, 2019
07:29 AM PT |
| Intel Audio displays an intcdaud.sys notification Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in higher than normal battery drain. If you see an intcdaud.sys notification or “What needs your attention” notification when trying to update to Windows 10, version 1903, you have an affected Intel Audio Display device driver installed on your machine (intcdaud.sys, versions 10.25.0.3 through 10.25.0.8). To safeguard your update experience, we have applied a compatibility hold on devices with drivers from being offered Windows 10, version 1903 until updated device drivers have been installed.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809
Workaround: On the “What needs your attention\" notification, click the Back button to remain on your current version of Windows 10. (Do not click Confirm as this will proceed with the update and you may experience compatibility issues.) Affected devices will automatically revert to the previous working configuration.
Note We recommend you do not attempt to update your devices until newer device drivers are installed.
Next steps: You can opt to wait for newer drivers to be installed automatically through Windows Update or check with the computer manufacturer for the latest device driver software availability and installation procedures.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Mitigated
| Last updated:
May 21, 2019
04:47 PM PT
Opened:
May 21, 2019
07:22 AM PT |
| Cannot launch Camera app Microsoft and Intel have identified an issue affecting Intel RealSense SR300 and Intel RealSense S200 cameras when using the Camera app. After updating to the Windows 10 May 2019 Update and launching the Camera app, you may get an error message stating: \"Close other apps, error code: 0XA00F4243.”
To safeguard your update experience, we have applied a protective hold on machines with Intel RealSense SR300 or Intel RealSense S200 cameras installed from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms: - Client: Windows 10, version 1903
Workaround: To temporarily resolve this issue, perform one of the following:
- Unplug your camera and plug it back in.
or - Disable and re-enable the driver in Device Manager. In the Search box, type \"Device Manager\" and press Enter. In the Device Manager dialog box, expand Cameras, then right-click on any RealSense driver listed and select Disable device. Right click on the driver again and select Enable device.
or - Restart the RealSense service. In the Search box, type \"Task Manager\" and hit Enter. In the Task Manager dialog box, click on the Services tab, right-click on RealSense, and select Restart.
Note This workaround will only resolve the issue until your next system restart.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Mitigated
| Last updated:
May 21, 2019
04:47 PM PT
Opened:
May 21, 2019
07:20 AM PT |
| Intermittent loss of Wi-Fi connectivity Some older computers may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).
To safeguard your upgrade experience, we have applied a hold on devices with this Qualcomm driver from being offered Windows 10, version 1903, until the updated driver is installed.
Affected platforms: - Client: Windows 10, version 1903
Workaround: Download and install an updated Wi-Fi driver from your device manufacturer (OEM). Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Mitigated
| Last updated:
May 21, 2019
04:46 PM PT
Opened:
May 21, 2019
07:13 AM PT |
- | Older versions of BattlEye anti-cheat software incompatible Microsoft and BattlEye have identified a compatibility issue with some games that use older versions of BattlEye anti-cheat software. When launching a game that uses an older, impacted version of BattlEye anti-cheat software on a device running Windows 10, version 1903, the device may experience a system crash.
To safeguard your gaming experience, we have applied a compatibility hold on devices with the impacted versions of BattlEye software used by games installed on your PC. This will prevent Windows 10, version 1903 from being offered until the incompatible version of BattlEye software is no longer installed on the device.
Affected platforms: - Client: Windows 10, version 1903
Workaround: Before updating your machine, we recommend you do one or more of the following:
- Verify that your game is up to date with the latest available version of BattlEye software. Some game platforms allow you to validate your game files, which can confirm that your installation is fully up to date.
- Restart your system and open the game again.
- Uninstall BattlEye using https://www.battleye.com/downloads/UninstallBE.exe, and then reopen your game.
- Uninstall and reinstall your game.
Resolution: This issue was resolved externally by BattlEye for all known impacted games. You will need to ensure you are running the latest version of your game before updating to Windows 10, version 1903. For a list of recent games that use BattlEye, go to https://www.battleye.com/. The compatibility hold will remain in place on older versions of BattlEye as a safeguard. For customers already running Windows 10, version 1903, opening games with incompatible versions of BattleEye may fail. If you have any issues with opening games related to a BattlEye error, please see https://www.battleye.com/support/faq/.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
| Resolved:
June 06, 2019
01:33 PM PT
Opened:
May 21, 2019
07:34 AM PT |
- | Duplicate folders and documents showing in user profile directory If you have redirected known folders (e.g. Desktop, Documents, or Pictures folders) you may see an empty folder with the same name in your %userprofile% directories after updating to Windows 10, version 1903. This may occur if known folders were redirected when you chose to back up your content to OneDrive using the OneDrive wizard, or if you chose to back up your content during the Windows Out-of-Box-Experience (OOBE). This may also occur if you redirected your known folders manually through the Properties dialog box in File Explorer. This issue does not cause any user files to be deleted and a solution is in progress.
To safeguard your update experience, we have applied a quality hold on devices with redirected known folders from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms: - Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4497935. The safeguard hold will be removed following the June Update Tuesday release. Note We recommend that you do not attempt to manually update to Windows 10, version 1903 using the Update now button or the Media Creation Tool until this issue has been resolved.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
KB4497935 | Resolved:
May 29, 2019
02:00 PM PT
Opened:
May 21, 2019
07:16 AM PT |
- | AMD RAID driver incompatibility Microsoft and AMD have identified an incompatibility with AMD RAID driver versions earlier than 9.2.0.105. When you attempt to install the Windows 10, version 1903 update on a Windows 10-based computer with an affected driver version, the installation process stops and you get a message like the following: AMD Ryzen™ or AMD Ryzen™ Threadripper™ configured in SATA or NVMe RAID mode. “A driver is installed that causes stability problems on Windows. This driver will be disabled. Check with your software/driver provider for an updated version that runs on this version of Windows.” To safeguard your update experience, we have applied a compatibility hold on devices with these AMD drivers from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms: - Client: Windows 10, version 1903
Resolution: This issue has been resolved externally by AMD. To resolve this issue, you will need to download the latest AMD RAID drivers directly from AMD at https://www.amd.com/en/support/chipsets/amd-socket-tr4/x399. The drivers must be version 9.2.0.105 or later. Install the drivers on the affected computer, and then restart the installation process for the Windows 10, version 1903 feature update. Note The safeguard hold will remain in place on machines with the older AMD RAID drivers. We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
| Resolved:
June 06, 2019
11:06 AM PT
Opened:
May 21, 2019
07:12 AM PT |
- | Error attempting to update with external USB device or memory card attached If you have an external USB device or SD memory card attached when installing Windows 10, version 1903, you may get an error message stating \"This PC can't be upgraded to Windows 10.\" This is caused by inappropriate drive reassignment during installation.
Sample scenario: An update to Windows 10, version 1903 is attempted on a computer that has a thumb drive inserted into its USB port. Before the update, the thumb drive is mounted in the system as drive G based on the existing drive configuration. After the feature update is installed; however, the device is reassigned a different drive letter (e.g., drive H).
Note The drive reassignment is not limited to removable drives. Internal hard drives may also be affected.
To safeguard your update experience, we have applied a hold on devices with an external USB device or SD memory card attached from being offered Windows 10, version 1903 until this issue is resolved.
Affected platforms: - Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4497935. The safeguard hold will be removed following the June Update Tuesday release.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
KB4497935 | Resolved:
May 29, 2019
02:00 PM PT
Opened:
May 21, 2019
07:38 AM PT |
- | D3D applications and games may fail to enter full-screen mode on rotated displays Some Direct3D (D3D) applications and games (e.g., 3DMark) may fail to enter full-screen mode on displays where the display orientation has been changed from the default (e.g., a landscape display in portrait mode).
Affected platforms: - Client: Windows 10, version 1903
- Server: Windows Server, version 1903
Resolution: This issue was resolved in KB4497935.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
KB4497935 | Resolved:
May 29, 2019
02:00 PM PT
Opened:
May 21, 2019
07:05 AM PT |
+ | Loss of functionality in Dynabook Smartphone Link app Some users may experience a loss of functionality after updating to Windows 10, version 1903 when using the Dynabook Smartphone Link application on Windows devices. Loss of functionality may affect the display of phone numbers in the Call menu and the ability to answer phone calls on the Windows PC.
To safeguard your update experience, we have applied a compatibility hold on devices with Dynabook Smartphone Link from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms: - Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Window 10, version 1903.
Back to top | OS Build 18362.116
May 20, 2019
KB4505057 | Resolved
| Resolved:
July 11, 2019
01:54 PM PT
Opened:
May 24, 2019
03:10 PM PT |
+ | Audio not working with Dolby Atmos headphones and home theater After updating to Windows 10, version 1903, you may experience loss of audio with Dolby Atmos for home theater (free extension) or Dolby Atmos for headphones (paid extension) acquired through the Microsoft Store due to a licensing configuration error. This occurs due to an issue with a Microsoft Store licensing component, where license holders are not able to connect to the Dolby Access app and enable Dolby Atmos extensions. To safeguard your update experience, we have applied protective hold on devices from being offered Windows 10, version 1903 until this issue is resolved. This configuration error will not result in loss of access for the acquired license once the problem is resolved.
Affected platforms: - Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Window 10, version 1903.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
| Resolved:
July 11, 2019
01:53 PM PT
Opened:
May 21, 2019
07:16 AM PT |
+ | Error attempting to update with external USB device or memory card attached If you have an external USB device or SD memory card attached when installing Windows 10, version 1903, you may get an error message stating \"This PC can't be upgraded to Windows 10.\" This is caused by inappropriate drive reassignment during installation.
Sample scenario: An update to Windows 10, version 1903 is attempted on a computer that has a thumb drive inserted into its USB port. Before the update, the thumb drive is mounted in the system as drive G based on the existing drive configuration. After the feature update is installed; however, the device is reassigned a different drive letter (e.g., drive H).
Note The drive reassignment is not limited to removable drives. Internal hard drives may also be affected.
To safeguard your update experience, we have applied a hold on devices with an external USB device or SD memory card attached from being offered Windows 10, version 1903 until this issue is resolved.
Affected platforms: - Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Window 10, version 1903.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
| Resolved:
July 11, 2019
01:53 PM PT
Opened:
May 21, 2019
07:38 AM PT |
"
diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
index 70bb640684..bd47291e52 100644
--- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
+++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
@@ -29,17 +29,17 @@ sections:
columns: 3
items:
- - href: https://blogs.windows.com/windowsexperience/
+ - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
html: Get the update >
image:
src: https://docs.microsoft.com/media/common/i_deploy.svg
title: Windows 10, version 1903 rollout begins
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064
html: Read about the latest enhancements >
image:
src: https://docs.microsoft.com/media/common/i_whats-new.svg
title: What’s new in Windows Update for Business
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024
html: Get an overview >
image:
src: https://docs.microsoft.com/media/common/i_investigate.svg
@@ -60,12 +60,10 @@ sections:
- type: markdown
text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
+ Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details > | June 11, 2019
KB4503292 | Mitigated
| July 10, 2019
02:59 PM PT |
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
See details > | April 09, 2019
KB4493472 | Mitigated
| April 25, 2019
02:00 PM PT |
- Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | May 14, 2019
KB4499164 | Resolved
KB4505050 | May 18, 2019
02:00 PM PT |
- System may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.
See details > | April 09, 2019
KB4493472 | Resolved
| May 14, 2019
01:23 PM PT |
- System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
See details > | April 09, 2019
KB4493472 | Resolved
| May 14, 2019
01:22 PM PT |
- System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.
See details > | April 09, 2019
KB4493472 | Resolved
| May 14, 2019
01:21 PM PT |
- Authentication may fail for services after the Kerberos ticket expires
Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.
See details > | March 12, 2019
KB4489878 | Resolved
KB4499164 | May 14, 2019
10:00 AM PT |
+ IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
See details > | May 14, 2019
KB4499164 | Resolved
KB4503277 | June 20, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503292 | Resolved
KB4503277 | June 20, 2019
02:00 PM PT |
"
@@ -76,12 +74,22 @@ sections:
"
-- title: May 2019
+- title: July 2019
- items:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Unable to access some gov.uk websites After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms: - Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolved: We have released an \"optional\" update for Internet Explorer 11 ( KB4505050) to resolve this issue. We recommend you apply this update by installing KB4505050 from Windows Update and then restarting your device.
Back to top | May 14, 2019
KB4499164 | Resolved
KB4505050 | Resolved:
May 18, 2019
02:00 PM PT
Opened:
May 16, 2019
01:57 PM PT |
+ Devices starting using PXE from a WDS or SCCM servers may fail to startDevices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503292 on a WDS server.
Affected platforms: - Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Workaround:
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.
To mitigate this issue on a WDS server without SCCM: - In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
- In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | June 11, 2019
KB4503292 | Mitigated
| Last updated:
July 10, 2019
02:59 PM PT
Opened:
July 10, 2019
02:51 PM PT |
+
+ "
+
+- title: June 2019
+- items:
+ - type: markdown
+ text: "
+
| Details | Originating update | Status | History |
+ | IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Resolution: This issue was resolved in Preview Rollup KB4503277. If you are using the Internet Explorer cumulative updates, this issue was resolved in KB4508646.
Back to top | May 14, 2019
KB4499164 | Resolved
KB4503277 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 07, 2019
02:57 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503277. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.
Back to top | June 11, 2019
KB4503292 | Resolved
KB4503277 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
"
@@ -91,17 +99,5 @@ sections:
text: "
| Details | Originating update | Status | History |
| System may be unresponsive after restart with certain McAfee antivirus products Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: Guidance for McAfee customers can be found in the following McAfee support articles: Next steps: We are presently investigating this issue with McAfee. We will provide an update once we have more information.
Back to top | April 09, 2019
KB4493472 | Mitigated
| Last updated:
April 25, 2019
02:00 PM PT
Opened:
April 09, 2019
10:00 AM PT |
- System may be unresponsive after restart if ArcaBit antivirus software installedMicrosoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493472.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.
Back to top | April 09, 2019
KB4493472 | Resolved
| Resolved:
May 14, 2019
01:23 PM PT
Opened:
April 09, 2019
10:00 AM PT |
- System unresponsive after restart if Sophos Endpoint Protection installedMicrosoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493472.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.
Back to top | April 09, 2019
KB4493472 | Resolved
| Resolved:
May 14, 2019
01:22 PM PT
Opened:
April 09, 2019
10:00 AM PT |
- System may be unresponsive after restart if Avira antivirus software installedMicrosoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493472.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.
Back to top | April 09, 2019
KB4493472 | Resolved
| Resolved:
May 14, 2019
01:21 PM PT
Opened:
April 09, 2019
10:00 AM PT |
-
- "
-
-- title: March 2019
-- items:
- - type: markdown
- text: "
-
| Details | Originating update | Status | History |
- Authentication may fail for services after the Kerberos ticket expiresAfter installing KB4489878, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails.
Affected platforms: - Client: Windows 7 SP1
- Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4499164.
Back to top | March 12, 2019
KB4489878 | Resolved
KB4499164 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PT |
"
diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
index e76412be72..70d40a6d5e 100644
--- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
+++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
@@ -29,17 +29,17 @@ sections:
columns: 3
items:
- - href: https://blogs.windows.com/windowsexperience/
+ - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
html: Get the update >
image:
src: https://docs.microsoft.com/media/common/i_deploy.svg
title: Windows 10, version 1903 rollout begins
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064
html: Read about the latest enhancements >
image:
src: https://docs.microsoft.com/media/common/i_whats-new.svg
title: What’s new in Windows Update for Business
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024
html: Get an overview >
image:
src: https://docs.microsoft.com/media/common/i_investigate.svg
@@ -60,15 +60,12 @@ sections:
- type: markdown
text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
+ Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details > | June 11, 2019
KB4503276 | Mitigated
| July 10, 2019
07:09 PM PT |
Japanese IME doesn't show the new Japanese Era name as a text input option
If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.
See details > | April 25, 2019
KB4493443 | Mitigated
| May 15, 2019
05:53 PM PT |
- Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.
See details > | March 12, 2019
KB4489881 | Mitigated
| April 25, 2019
02:00 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.
See details > | January 08, 2019
KB4480963 | Mitigated
| April 25, 2019
02:00 PM PT |
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
See details > | April 09, 2019
KB4493446 | Mitigated
| April 18, 2019
05:00 PM PT |
- Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | May 14, 2019
KB4499151 | Resolved
KB4505050 | May 18, 2019
02:00 PM PT |
- Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details > | April 25, 2019
KB4493443 | Resolved
KB4499151 | May 14, 2019
10:00 AM PT |
- System may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.
See details > | April 09, 2019
KB4493446 | Resolved
| May 14, 2019
01:22 PM PT |
- System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
See details > | April 09, 2019
KB4493446 | Resolved
| May 14, 2019
01:22 PM PT |
- System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.
See details > | April 09, 2019
KB4493446 | Resolved
| May 14, 2019
01:21 PM PT |
+ IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
See details > | May 14, 2019
KB4499151 | Resolved
KB4503283 | June 20, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503276 | Resolved
KB4503283 | June 20, 2019
02:00 PM PT |
"
@@ -79,14 +76,31 @@ sections:
"
+- title: July 2019
+- items:
+ - type: markdown
+ text: "
+
| Details | Originating update | Status | History |
+ Devices starting using PXE from a WDS or SCCM servers may fail to startDevices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503276 on a WDS server.
Affected platforms: - Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Workaround: To mitigate this issue on an SCCM server: - Verify Variable Window Extension is enabled.
- Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.
To mitigate this issue on a WDS server without SCCM: - In WDS TFTP settings, verify Variable Window Extension is enabled.
- In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
- In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | June 11, 2019
KB4503276 | Mitigated
| Last updated:
July 10, 2019
07:09 PM PT
Opened:
July 10, 2019
02:51 PM PT |
+
+ "
+
+- title: June 2019
+- items:
+ - type: markdown
+ text: "
+
| Details | Originating update | Status | History |
+ | IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Resolution: This issue was resolved in Preview Rollup KB4503283. If you are using the Internet Explorer cumulative updates, this issue was resolved in KB4508646.
Back to top | May 14, 2019
KB4499151 | Resolved
KB4503283 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 07, 2019
02:57 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503283. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.
Back to top | June 11, 2019
KB4503276 | Resolved
KB4503283 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
+
+ "
+
- title: May 2019
- items:
- type: markdown
text: "
| Details | Originating update | Status | History |
| Japanese IME doesn't show the new Japanese Era name as a text input option If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.
Affected platforms: - Client: Windows 8.1
- Server: Windows Server 2012 R2; Windows Server 2012
Workaround: If you see any of the previous dictionary updates listed below, uninstall it from Programs and features > Uninstall or change a program. New words that were in previous dictionary updates are also in this update. - Update for Japanese Microsoft IME Standard Dictionary (15.0.2013)
- Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.2013)
- Update for Japanese Microsoft IME Standard Dictionary (15.0.1215)
- Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1215)
- Update for Japanese Microsoft IME Standard Dictionary (15.0.1080)
- Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1080)
Back to top | April 25, 2019
KB4493443 | Mitigated
| Last updated:
May 15, 2019
05:53 PM PT
Opened:
May 15, 2019
05:53 PM PT |
- | Unable to access some gov.uk websites After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms: - Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolved: We have released an \"optional\" update for Internet Explorer 11 ( KB4505050) to resolve this issue. We recommend you apply this update by installing KB4505050 from Windows Update and then restarting your device.
Back to top | May 14, 2019
KB4499151 | Resolved
KB4505050 | Resolved:
May 18, 2019
02:00 PM PT
Opened:
May 16, 2019
01:57 PM PT |
- | Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue has been resolved.
Back to top | April 25, 2019
KB4493443 | Resolved
KB4499151 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
May 10, 2019
10:35 AM PT |
"
@@ -96,19 +110,6 @@ sections:
text: "
| Details | Originating update | Status | History |
| System may be unresponsive after restart with certain McAfee antivirus products Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: Guidance for McAfee customers can be found in the following McAfee support articles: Next steps: We are presently investigating this issue with McAfee. We will provide an update once we have more information.
Back to top | April 09, 2019
KB4493446 | Mitigated
| Last updated:
April 18, 2019
05:00 PM PT
Opened:
April 09, 2019
10:00 AM PT |
- System may be unresponsive after restart if ArcaBit antivirus software installedMicrosoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493446.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.
Back to top | April 09, 2019
KB4493446 | Resolved
| Resolved:
May 14, 2019
01:22 PM PT
Opened:
April 09, 2019
10:00 AM PT |
- System unresponsive after restart if Sophos Endpoint Protection installedMicrosoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493446.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.
Back to top | April 09, 2019
KB4493446 | Resolved
| Resolved:
May 14, 2019
01:22 PM PT
Opened:
April 09, 2019
10:00 AM PT |
- System may be unresponsive after restart if Avira antivirus software installedMicrosoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493446.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.
Back to top | April 09, 2019
KB4493446 | Resolved
| Resolved:
May 14, 2019
01:21 PM PT
Opened:
April 09, 2019
10:00 AM PT |
-
- "
-
-- title: March 2019
-- items:
- - type: markdown
- text: "
-
| Details | Originating update | Status | History |
- Issue using PXE to start a device from WDSAfter installing KB4489881, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:
Option 1: Open an Administrator Command prompt and type the following: Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No
-
Option 2: Use the Windows Deployment Services UI to make the following adjustment: - Open Windows Deployment Services from Windows Administrative Tools.
- Expand Servers and right-click a WDS server.
- Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.
Option 3: Set the following registry value to 0: HKLM\\System\\CurrentControlSet\\Services\\WDSServer\\Providers\\WDSTFTP\\EnableVariableWindowExtension
Restart the WDSServer service after disabling the Variable Window Extension.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
Back to top | March 12, 2019
KB4489881 | Mitigated
| Last updated:
April 25, 2019
02:00 PM PT
Opened:
March 12, 2019
10:00 AM PT |
"
diff --git a/windows/release-information/status-windows-server-2008-sp2.yml b/windows/release-information/status-windows-server-2008-sp2.yml
index a38199a095..c8ea355938 100644
--- a/windows/release-information/status-windows-server-2008-sp2.yml
+++ b/windows/release-information/status-windows-server-2008-sp2.yml
@@ -29,17 +29,17 @@ sections:
columns: 3
items:
- - href: https://blogs.windows.com/windowsexperience/
+ - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
html: Get the update >
image:
src: https://docs.microsoft.com/media/common/i_deploy.svg
title: Windows 10, version 1903 rollout begins
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064
html: Read about the latest enhancements >
image:
src: https://docs.microsoft.com/media/common/i_whats-new.svg
title: What’s new in Windows Update for Business
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024
html: Get an overview >
image:
src: https://docs.microsoft.com/media/common/i_investigate.svg
@@ -60,9 +60,8 @@ sections:
- type: markdown
text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
- System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
See details > | April 09, 2019
KB4493471 | Resolved
| May 14, 2019
01:21 PM PT |
- System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.
See details > | April 09, 2019
KB4493471 | Resolved
| May 14, 2019
01:19 PM PT |
- Authentication may fail for services after the Kerberos ticket expires
Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.
See details > | March 12, 2019
KB4489880 | Resolved
KB4499149 | May 14, 2019
10:00 AM PT |
+ Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details > | June 11, 2019
KB4503273 | Mitigated
| July 10, 2019
02:59 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503273 | Resolved
KB4503271 | June 20, 2019
02:00 PM PT |
"
@@ -73,21 +72,20 @@ sections:
"
-- title: April 2019
+- title: July 2019
- items:
- type: markdown
text: "
| Details | Originating update | Status | History |
- System unresponsive after restart if Sophos Endpoint Protection installedMicrosoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493471.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.
Back to top | April 09, 2019
KB4493471 | Resolved
| Resolved:
May 14, 2019
01:21 PM PT
Opened:
April 09, 2019
10:00 AM PT |
- System may be unresponsive after restart if Avira antivirus software installedMicrosoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493471.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.
Back to top | April 09, 2019
KB4493471 | Resolved
| Resolved:
May 14, 2019
01:19 PM PT
Opened:
April 09, 2019
10:00 AM PT |
+ Devices starting using PXE from a WDS or SCCM servers may fail to startDevices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503273 on a WDS server.
Affected platforms: - Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Workaround:
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.
To mitigate this issue on a WDS server without SCCM: - In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
- In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | June 11, 2019
KB4503273 | Mitigated
| Last updated:
July 10, 2019
02:59 PM PT
Opened:
July 10, 2019
02:51 PM PT |
"
-- title: March 2019
+- title: June 2019
- items:
- type: markdown
text: "
| Details | Originating update | Status | History |
- Authentication may fail for services after the Kerberos ticket expiresAfter installing KB4489880, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails.
Affected platforms: - Client: Windows 7 SP1
- Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4499149.
Back to top | March 12, 2019
KB4489880 | Resolved
KB4499149 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503271. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.
Back to top | June 11, 2019
KB4503273 | Resolved
KB4503271 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
"
diff --git a/windows/release-information/status-windows-server-2012.yml b/windows/release-information/status-windows-server-2012.yml
index e98321c34c..ee7242d18a 100644
--- a/windows/release-information/status-windows-server-2012.yml
+++ b/windows/release-information/status-windows-server-2012.yml
@@ -29,17 +29,17 @@ sections:
columns: 3
items:
- - href: https://blogs.windows.com/windowsexperience/
+ - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
html: Get the update >
image:
src: https://docs.microsoft.com/media/common/i_deploy.svg
title: Windows 10, version 1903 rollout begins
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064
html: Read about the latest enhancements >
image:
src: https://docs.microsoft.com/media/common/i_whats-new.svg
title: What’s new in Windows Update for Business
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024
html: Get an overview >
image:
src: https://docs.microsoft.com/media/common/i_investigate.svg
@@ -60,13 +60,12 @@ sections:
- type: markdown
text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
+ Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details > | June 11, 2019
KB4503285 | Mitigated
| July 10, 2019
07:09 PM PT |
Japanese IME doesn't show the new Japanese Era name as a text input option
If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.
See details > | April 25, 2019
KB4493462 | Mitigated
| May 15, 2019
05:53 PM PT |
- Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.
See details > | March 12, 2019
KB4489891 | Mitigated
| April 25, 2019
02:00 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.
See details > | January 08, 2019
KB4480975 | Mitigated
| April 25, 2019
02:00 PM PT |
- Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | May 14, 2019
KB4499171 | Resolved
KB4505050 | May 18, 2019
02:00 PM PT |
- Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details > | April 25, 2019
KB4493462 | Resolved
KB4499171 | May 14, 2019
10:00 AM PT |
- System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
See details > | April 09, 2019
KB4493451 | Resolved
| May 14, 2019
01:21 PM PT |
- System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.
See details > | April 09, 2019
KB4493451 | Resolved
| May 14, 2019
01:19 PM PT |
+ Some devices and generation 2 Hyper-V VMs may have issues installing updates
Some devices and generation 2 Hyper-V virtual machines (VMs) may have issues installing some updates when Secure Boot is enabled.
See details > | June 11, 2019
KB4503285 | Resolved
KB4503295 | June 21, 2019
02:00 PM PT |
+ IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
See details > | May 14, 2019
KB4499171 | Resolved
KB4503295 | June 21, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503285 | Resolved
KB4503295 | June 20, 2019
02:00 PM PT |
"
@@ -77,34 +76,32 @@ sections:
"
+- title: July 2019
+- items:
+ - type: markdown
+ text: "
+
| Details | Originating update | Status | History |
+ Devices starting using PXE from a WDS or SCCM servers may fail to startDevices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503285 on a WDS server.
Affected platforms: - Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Workaround: To mitigate this issue on an SCCM server: - Verify Variable Window Extension is enabled.
- Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.
To mitigate this issue on a WDS server without SCCM: - In WDS TFTP settings, verify Variable Window Extension is enabled.
- In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
- In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | June 11, 2019
KB4503285 | Mitigated
| Last updated:
July 10, 2019
07:09 PM PT
Opened:
July 10, 2019
02:51 PM PT |
+
+ "
+
+- title: June 2019
+- items:
+ - type: markdown
+ text: "
+
| Details | Originating update | Status | History |
+ Some devices and generation 2 Hyper-V VMs may have issues installing updatesSome devices and generation 2 Hyper-V virtual machines (VMs) may have issues installing KB4503285 or later updates when Secure Boot is enabled.
Affected platforms: - Server: Windows Server 2012
Resolution: This issue was resolved in KB4503295. If your device is using Security Only updates, this issue was resolved in KB4508776.
Back to top | June 11, 2019
KB4503285 | Resolved
KB4503295 | Resolved:
June 21, 2019
02:00 PM PT
Opened:
June 19, 2019
04:57 PM PT |
+ | IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Resolution: This issue was resolved in Preview Rollup KB4503295. If you are using the Internet Explorer cumulative updates, this issue was resolved in KB4508646.
Back to top | May 14, 2019
KB4499171 | Resolved
KB4503295 | Resolved:
June 21, 2019
02:00 PM PT
Opened:
June 07, 2019
02:57 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503295. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.
Back to top | June 11, 2019
KB4503285 | Resolved
KB4503295 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
+
+ "
+
- title: May 2019
- items:
- type: markdown
text: "
| Details | Originating update | Status | History |
| Japanese IME doesn't show the new Japanese Era name as a text input option If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.
Affected platforms: - Client: Windows 8.1
- Server: Windows Server 2012 R2; Windows Server 2012
Workaround: If you see any of the previous dictionary updates listed below, uninstall it from Programs and features > Uninstall or change a program. New words that were in previous dictionary updates are also in this update. - Update for Japanese Microsoft IME Standard Dictionary (15.0.2013)
- Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.2013)
- Update for Japanese Microsoft IME Standard Dictionary (15.0.1215)
- Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1215)
- Update for Japanese Microsoft IME Standard Dictionary (15.0.1080)
- Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1080)
Back to top | April 25, 2019
KB4493462 | Mitigated
| Last updated:
May 15, 2019
05:53 PM PT
Opened:
May 15, 2019
05:53 PM PT |
- | Unable to access some gov.uk websites After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms: - Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolved: We have released an \"optional\" update for Internet Explorer 11 ( KB4505050) to resolve this issue. We recommend you apply this update by installing KB4505050 from Windows Update and then restarting your device.
Back to top | May 14, 2019
KB4499171 | Resolved
KB4505050 | Resolved:
May 18, 2019
02:00 PM PT
Opened:
May 16, 2019
01:57 PM PT |
- | Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue has been resolved.
Back to top | April 25, 2019
KB4493462 | Resolved
KB4499171 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
May 10, 2019
10:35 AM PT |
-
- "
-
-- title: April 2019
-- items:
- - type: markdown
- text: "
-
| Details | Originating update | Status | History |
- System unresponsive after restart if Sophos Endpoint Protection installedMicrosoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493451.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.
Back to top | April 09, 2019
KB4493451 | Resolved
| Resolved:
May 14, 2019
01:21 PM PT
Opened:
April 09, 2019
10:00 AM PT |
- System may be unresponsive after restart if Avira antivirus software installedMicrosoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493451.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.
Back to top | April 09, 2019
KB4493451 | Resolved
| Resolved:
May 14, 2019
01:19 PM PT
Opened:
April 09, 2019
10:00 AM PT |
-
- "
-
-- title: March 2019
-- items:
- - type: markdown
- text: "
-
| Details | Originating update | Status | History |
- Issue using PXE to start a device from WDSAfter installing KB4489891, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:
Option 1: Open an Administrator Command prompt and type the following: Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No
-
Option 2: Use the Windows Deployment Services UI to make the following adjustment: - Open Windows Deployment Services from Windows Administrative Tools.
- Expand Servers and right-click a WDS server.
- Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.
Option 3: Set the following registry value to 0: HKLM\\System\\CurrentControlSet\\Services\\WDSServer\\Providers\\WDSTFTP\\EnableVariableWindowExtension
Restart the WDSServer service after disabling the Variable Window Extension.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
Back to top | March 12, 2019
KB4489891 | Mitigated
| Last updated:
April 25, 2019
02:00 PM PT
Opened:
March 12, 2019
10:00 AM PT |
"
diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml
index 9619ecc9de..31946a06a8 100644
--- a/windows/release-information/windows-message-center.yml
+++ b/windows/release-information/windows-message-center.yml
@@ -23,17 +23,17 @@ sections:
columns: 2
items:
- - href: https://blogs.windows.com/windowsexperience/
+ - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
html: Get the update >
image:
src: https://docs.microsoft.com/media/common/i_deploy.svg
title: Windows 10, version 1903 rollout begins
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064
html: Read about the latest enhancements >
image:
src: https://docs.microsoft.com/media/common/i_whats-new.svg
title: What’s new in Windows Update for Business
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024
html: Get an overview >
image:
src: https://docs.microsoft.com/media/common/i_investigate.svg
@@ -50,9 +50,12 @@ sections:
text: "
| Message | Date |
- Windows 10, version 1903 rollout begins
The Windows 10 May 2019 Update (Windows 10, version 1903) is available today to commercial customers via Windows Server Update Services (WSUS), Windows Update for Business, and the Volume Licensing Service Center (VLSC)—and to end users who manually select “Check for updates.” We are slowly throttling up availability while we carefully monitor data and feedback. | May 21, 2019
10:00 AM PT |
- What’s new in Windows Update for Business
We are enhancing and expanding the capabilities of Windows Update for Business to make the move to the cloud even easier. From simplified branch readiness options to better control over deadlines and reboots, read about the enhancements to Windows Update for Business as a part of Windows 10, version 1903. | May 21, 2019
10:00 AM PT |
- What’s new for businesses and IT pros in Windows 10
Explore the newest capabilities for businesses and IT in the latest feature update in the areas of intelligent security, simplified updates, flexible management, and enhanced productivity. | May 21, 2019
10:00 AM PT |
+ Evolving Windows 10 servicing and quality
Find out how we plan to further optimize the delivery of the next Windows 10 feature update for devices running Windows 10, version 1903. If you're a commercial customer, please see the Windows IT Pro Blog for more details on how to plan for this new update option in your environment. | July 01, 2019
02:00 PM PT |
+ Windows 10, version 1903 starting to roll out to devices running Windows 10, version 1803 and earlier
We are now beginning to build and train the machine learning (ML) based rollout process to update devices running Windows 10, version 1803 (the April 2018 Update) and earlier versions of Windows 10, to ensure we can continue to service these devices and provide the latest updates, security updates, and improvements. | June 18, 2019
02:00 PM PT |
+ Windows 10, version 1903 available by selecting “Check for updates”
Windows 10, version 1903 is now available for any user who manually selects “Check for updates” via Windows Update. The recommended servicing status is Semi-Annual Channel. | June 06, 2019
06:00 PM PT |
+ Windows 10, version 1903 rollout begins
The Windows 10 May 2019 Update (Windows 10, version 1903) is available today to commercial customers via Windows Server Update Services (WSUS), Windows Update for Business, and the Volume Licensing Service Center (VLSC)—and to end users who manually select “Check for updates.” We are slowly throttling up availability while we carefully monitor data and feedback. | May 21, 2019
10:00 AM PT |
+ What’s new in Windows Update for Business
We are enhancing and expanding the capabilities of Windows Update for Business to make the move to the cloud even easier. From simplified branch readiness options to better control over deadlines and reboots, read about the enhancements to Windows Update for Business as a part of Windows 10, version 1903. | May 21, 2019
10:00 AM PT |
+ What’s new for businesses and IT pros in Windows 10
Explore the newest capabilities for businesses and IT in the latest feature update in the areas of intelligent security, simplified updates, flexible management, and enhanced productivity. | May 21, 2019
10:00 AM PT |
Reminder: Install the latest SSU for a smoother update experience
We strongly recommend that you install the latest servicing stack update (SSU) before installing any Windows update; especially as an SSU may be a prerequisite for some updates. If you have difficulty installing Windows updates, verify that you have installed the latest SSU package for your version of Windows and then try installing the update again. Links to the latest SSU are always provided in the “How to get this update” section of each update KB article (e.g., KB4494441). For more information about SSUs, see our Servicing stack updates guidance. | May 14, 2019
10:00 AM PT |
Take action: Update Remote Desktop Services on older versions of Windows
Today, we released fixes for a critical wormable, remote code execution vulnerability ( CVE-2019-0708) in Remote Desktop Services—formerly known as Terminal Services. This vulnerability affects Windows 7, Windows Server 2008 R2, and earlier versions of Windows nearing end of support. It does not affect Windows 8, Windows Server 2012, or newer operating systems. While we have not observed attacks exploiting this vulnerability, affected systems should be patched with priority. Here is what you need to know:
Call to action:
@@ -107,7 +110,7 @@ If you are still unable to connect to Windows Update services due to this proble
Driver quality in the Windows ecosystem
Ensuring Windows 10 works great with all the devices and accessories our customers use is a top priority. We work closely with this broad mix of partners to test new drivers, monitor health characteristics over time, and make Windows and our ecosystem more resilient architecturally. Our goal is to ensure that all the updates and drivers we deliver to non-Insider populations are validated and at production quality (including monthly optional releases) before pushing drivers broadly to all. Explore the driver distribution chain and learn how we measure driver quality and prevent conflicts. | December 19, 2018
10:04 AM PT |
Introducing the Modern Desktop podcast series
In this new podcast series, we'll explore the good, the bad, and, yes, the ugly of servicing and delivery for Windows 10 and Office 365 ProPlus. We'll talk about modern desktop management through Enterprise Mobility, security, and cloud-attached and co-managed environments. Listen to the first episode, in which we discuss monthly quality updates fpr Windows 10, the Microsoft 365 Stay Current pilot program, and interview a real customer to see how they ingest monthly updates in their organization. | December 18, 2018
01:00 PM PT |
Measuring Delivery Optimization and its impact to your network
If you've familiarized yourself with the configuration options for Delivery Optimization in Windows 10, and have started to configure the settings you feel will be the best fit for your organization’s network topology, now is the time to see how well those settings are working. This article provides tips on how evaluate performance at the device level or organization level. | December 13, 2018
03:48 PM PT |
- Windows monthly security and quality updates overview
Today’s global cybersecurity threats are both dynamic and sophisticated, and new vulnerabilities are discovered almost every day. We focus on protecting customers from these security threats by providing security updates on a timely basis and with high quality. Find out how how we deliver these critical updates on a massive scale as a key component of our ongoing Windows as a service effort. | December 10, 2018
10:00 AM PT |
+ Windows monthly security and quality updates overview
Today’s global cybersecurity threats are both dynamic and sophisticated, and new vulnerabilities are discovered almost every day. We focus on protecting customers from these security threats by providing security updates on a timely basis and with high quality. Find out how we deliver these critical updates on a massive scale as a key component of our ongoing Windows as a service effort. | December 10, 2018
10:00 AM PT |
LTSC: What is it, and when should it be used?
With the Semi-Annual Channel, devices receive two feature updates per year, and benefit from the best performance, user experience, security, and stability. This servicing option continues to be our recommendation for managing Windows 10 updates; however, we acknowledge that certain devices and use cases (e.g. medical systems and industrial process controllers) dictate that functionality and features don’t change over time. Find out how we designed the Long-Term Servicing Channel (LTSC) with these types of use cases in mind, and what is offered through the LTSC. | November 29, 2018
07:02 PM PT |
Plan for change: Local Experience Packs: What are they and when should you use them?
When we released Windows 10, version 1803, we introduced Local Experience Packs (LXPs), which are modern language packs delivered through the Microsoft Store or Microsoft Store for Business. Learn about the biggest advantage to LXPs, and the retirement of legacy language packs (lp.cab) for all Language Interface Packs (LIP). | November 14, 2018
11:10 AM PT |
Windows 10 Quality approach for a complex ecosystem
While our measurements of quality show improving trends on aggregate for each successive Windows 10 release, if a single customer experiences an issue with any of our updates, we take it seriously. In this blog post, Windows CVP Mike Fortin shares an overview of how we work to continuously improve the quality of Windows and our Windows as a service approach. This blog will be the first in a series of more in-depth explanations of the work we do to deliver quality in our Windows releases. | November 13, 2018
10:00 AM PT |
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index d407ef1215..14b733039f 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -32,14 +32,12 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
- "uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
- "ms.author": "justinha",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.security",
diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
index 65e1e3a384..4981294bac 100644
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@@ -2883,7 +2883,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
Well-Known SID/RID |
-S-1-5-21-<domain>-553 |
+S-1-5-32-<domain>-576 |
Type |
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index f7a788e6f8..d63ee0bd86 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -117,6 +117,74 @@ When enabling the Guest account, only grant limited rights and permissions. For
In addition, the guest user in the Guest account should not be able to view the event logs. After the Guest account is enabled, it is a best practice to monitor the Guest account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user.
+## HelpAssistant account (installed with a Remote Assistance session)
+
+
+The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending.
+
+HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it is initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the user’s invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service.
+
+**Security considerations**
+
+The SIDs that pertain to the default HelpAssistant account include:
+
+- SID: S-1-5-<domain>-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note that, in Windows Server 2008, Remote Desktop Services are called Terminal Services.
+
+- SID: S-1-5-<domain>-14, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
+
+For the Windows Server operating system, Remote Assistance is an optional component that is not installed by default. You must install Remote Assistance before it can be used.
+
+For details about the HelpAssistant account attributes, see the following table.
+
+**HelpAssistant account attributes**
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-<domain>-13 (Terminal Server User), S-1-5-<domain>-14 (Remote Interactive Logon) |
+
+
+Type |
+User |
+
+
+Default container |
+CN=Users, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+Domain Guests
+Guests |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Can be moved out, but we do not recommend it. |
+
+
+Safe to delegate management of this group to non-Service admins? |
+No |
+
+
+
### DefaultAccount
@@ -125,7 +193,7 @@ The DSMA is a well-known user account type.
It is a user neutral account that can be used to run processes that are either multi-user aware or user-agnostic.
The DSMA is disabled by default on the desktop SKUs (full windows SKUs) and WS 2016 with the Desktop.
-The DSMA has a well-known RID of 503. The security identifier (SID) of the DSMA will thus have a well-known SID in the following format: S-1-5-21--503
+The DSMA has a well-known RID of 503. The security identifier (SID) of the DSMA will thus have a well-known SID in the following format: S-1-5-21-\-503
The DSMA is a member of the well-known group **System Managed Accounts Group**, which has a well-known SID of S-1-5-32-581.
@@ -447,7 +515,7 @@ The following table shows the Group Policy settings that are used to deny networ
2. Double-click **Deny log on through Remote Desktop Services**.
- 3. Click **Add User or Group**, type type **Local account and member of Administrators group**, and > **OK**.
+ 3. Click **Add User or Group**, type **Local account and member of Administrators group**, and > **OK**.
8. Link the GPO to the first **Workstations** OU as follows:
diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md
index 576e8b4fd0..d8db3e63d2 100644
--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ b/windows/security/identity-protection/access-control/security-identifiers.md
@@ -283,6 +283,14 @@ The following table describes changes in SID implementation in the Windows opera
| Most of the operating system files are owned by the TrustedInstaller security identifier (SID)| Windows Server 2008, Windows Vista| The purpose of this change is to prevent a process that is running as an administrator or under the LocalSystem account from automatically replacing the operating system files. |
| Restricted SID checks are implemented| Windows Server 2008, Windows Vista| When restricting SIDs are present, Windows performs two access checks. The first is the normal access check, and the second is the same access check against the restricting SIDs in the token. Both access checks must pass to allow the process to access the object. |
+## Capability SIDs
+
+Capability Security Identifiers (SIDs) are used to uniquely and immutably identify capabilities. Capabilities represent an unforgeable token of authority that grants access to resources (Examples: documents, camera, locations etc...) to Universal Windows Applications. An App that “has” a capability is granted access to the resource the capability is associated with, and one that “does not have” a capability is denied access to the resource.
+
+All Capability SIDs that the operating system is aware of are stored in the Windows Registry in the path `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities'. Any Capability SID added to Windows by first or third-party applications will be added to this location.
+
+All Capability SIDs are prefixed by S-1-15-3
+
## See also
- [Access Control Overview](access-control.md)
diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md
index 8713d91370..978d72142a 100644
--- a/windows/security/identity-protection/access-control/special-identities.md
+++ b/windows/security/identity-protection/access-control/special-identities.md
@@ -83,7 +83,7 @@ The special identity groups are described in the following tables:
- [This Organization](#this-organization)
-- [Window Manager\\Window Manager Group](#window-manager-window-manager-group)
+- [Window Manager\\Window Manager Group](#window-managerwindow-manager-group)
## Anonymous Logon
diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index 9d212561c9..c67ea0ab51 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -75,7 +75,7 @@ Run the following command:
CertReq -EnrollCredGuardCert MachineAuthentication
```
-> [!NOTE]
+> [!NOTE]
> You must restart the device after enrolling the machine authentication certificate.
##### How a certificate issuance policy can be used for access control
@@ -126,7 +126,7 @@ Authentication policies have the following requirements:
11. Click **OK** to create the authentication policy.
12. Close Active Directory Administrative Center.
-> [!NOTE]
+> [!NOTE]
> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures.
##### Discovering authentication failures due to authentication policies
@@ -327,14 +327,14 @@ write-host "There are no issuance policies which are not mapped to groups"
}
}
```
-> [!NOTE]
+> [!NOTE]
> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
#### Link an issuance policy to a group
Save the script file as set-IssuancePolicyToGroupLink.ps1.
-``` syntax
+```powershell
#######################################
## Parameters to be defined ##
## by the user ##
@@ -609,5 +609,5 @@ write-host $tmp -Foreground Red
}
```
-> [!NOTE]
+> [!NOTE]
> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
index a2e1958009..2e1a83d9b7 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
@@ -100,7 +100,7 @@ Run the following command:
CertReq -EnrollCredGuardCert MachineAuthentication
```
-> [!NOTE]
+> [!NOTE]
> You must restart the device after enrolling the machine authentication certificate.
##### How a certificate issuance policy can be used for access control
@@ -151,7 +151,7 @@ Authentication policies have the following requirements:
11. Click **OK** to create the authentication policy.
12. Close Active Directory Administrative Center.
-> [!NOTE]
+> [!NOTE]
> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures.
##### Discovering authentication failures due to authentication policies
@@ -356,7 +356,7 @@ write-host "There are no issuance policies which are not mapped to groups"
}
}
```
-> [!NOTE]
+> [!NOTE]
> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
#### Link an issuance policy to a group
@@ -638,7 +638,7 @@ write-host $tmp -Foreground Red
}
```
-> [!NOTE]
+> [!NOTE]
> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
## See also
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
index b6c7e284af..0b6d13f777 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
@@ -209,7 +209,7 @@ write-host "There are no issuance policies which are not mapped to groups"
}
}
```
-> [!NOTE]
+> [!NOTE]
> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
## Link an issuance policy to a group
@@ -491,5 +491,5 @@ write-host $tmp -Foreground Red
}
```
-> [!NOTE]
+> [!NOTE]
> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md
index c6f6c2f100..6747177c1d 100644
--- a/windows/security/identity-protection/enterprise-certificate-pinning.md
+++ b/windows/security/identity-protection/enterprise-certificate-pinning.md
@@ -26,7 +26,7 @@ ms.reviewer:
Enterprise certificate pinning is a Windows feature for remembering, or “pinning,” a root issuing certificate authority or end entity certificate to a given domain name.
Enterprise certificate pinning helps reduce man-in-the-middle attacks by enabling you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates.
->[!NOTE]
+>[!NOTE]
> External domain names, where the certificate issued to these domains is issued by a public certificate authority, are not ideal for enterprise certificate pinning.
Windows Certificate APIs (CertVerifyCertificateChainPolicy and WinVerifyTrust) are updated to check if the site’s server authentication certificate chain matches a restricted set of certificates.
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index c33567fa7c..3923238254 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -273,7 +273,7 @@ This example configures an IPConfig signal type using Ipv4Prefix, Ipv4DnsServer,
#### Example 2
This example configures an IpConfig signal type using a dnsSuffix element and a bluetooth signal for phones. This configuration is wrapped for reading. Once properly formatted, the entire XML contents must be a single line. This example implies that either the ipconfig **or** the Bluetooth rule must evaluate to true, for the resulting signal evaluation to be true.
->[!NOTE]
+>[!NOTE]
>Separate each rule element using a comma.
```
diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
index 15e3791181..57524af4a3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
@@ -1,6 +1,6 @@
---
-title: Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments
-description: Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments
+title: Planning an adequate number of Windows Server 2019 Domain Controllers for Windows Hello for Business deployments
+description: Planning an adequate number of Windows Server 2019 Domain Controllers for Windows Hello for Business deployments
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust
ms.prod: w10
ms.mktglfcycl: deploy
@@ -16,34 +16,44 @@ localizationpriority: medium
ms.date: 08/20/2018
ms.reviewer:
---
-# Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments
+# Planning an adequate number of Windows Server 2019 Domain Controllers for Windows Hello for Business deployments
**Applies to**
-- Windows 10, version 1702 or later
+- Windows 10, version 1703 or later
+- Windows Server, versions 2016 and 2019
- Hybrid or On-Premises deployment
- Key trust
+> [!NOTE]
+>There was an issue with key trust on Windows Server 2019. To fix it, refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044).
+
## How many is adequate
-How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2016 includes the KDC AS Requests performance counter. You can use these counters to determine how much of a domain controller's load is due to initial Kerberos authentication. It's important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication--it remains unchanged.
+
+How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2019 includes the KDC AS Requests performance counter. You can use this counter to determine how much of a domain controller's load is due to initial Kerberos authentication. It's important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication - it remains unchanged.
-Windows 10 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers. Therefore, users in a key trust deployment must authenticate to a Windows Server 2016 domain controller.
+
+Windows 10 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2019 domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers. Therefore, users in a key trust deployment must authenticate to a Windows Server 2019 domain controller.
-Determining an adequate number of Windows Server 2016 domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding the most current version of a domain controller (in this case Windows Server 2016) to a deployment of existing domain controllers (Windows Server 2008R2 or Windows Server 2012R2) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as "piling on". To illustrate the "piling on" concept, consider the following scenario:
+
+Determining an adequate number of Windows Server 2019 domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding the most current version of a domain controller (in this case Windows Server 2019) to a deployment of existing domain controllers (Windows Server 2008R2, Windows Server 2012R2 or Windows Server 2016) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as "piling on". To illustrate the "piling on" concept, consider the following scenario:
+
Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment. The Kerberos AS requests load would look something like the following:
-The environment changes. The first change includes DC1 upgraded to Windows Server 2016 to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment. Given all other factors stay constant, the authentication would now look like the following:
+
+The environment changes. The first change includes DC1 upgraded to Windows Server 2019 to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment. Given all other factors stay constant, the authentication would now look like the following:
-The Windows Server 2016 domain controller is handling 100 percent of all public key trust authentication. However, it is also handling 10 percent of the password authentication. Why? This behavior occurs because domain controllers 2- 10 only support password and certificate trust authentication; only a Windows Server 2016 domain controller supports authentication public key trust authentication. The Windows Server 2016 domain controller understands how to authenticate password and certificate trust authentication and will continue to share the load of authenticating those clients. Because DC1 can handle all forms of authentication, it will be bear more of the authentication load, and easily become overloaded. What if another Windows Server 2016 domain controller is added, but without deploying Windows Hello for Business to anymore clients?
+The Windows Server 2019 domain controller is handling 100 percent of all public key trust authentication. However, it is also handling 10 percent of the password authentication. Why? This behavior occurs because domain controllers 2 - 10 only support password and certificate trust authentication; only a Windows Server 2019 domain controller supports public key trust authentication. The Windows Server 2019 domain controller understands how to authenticate password and certificate trust authentication and will continue to share the load of authenticating those clients. Because DC1 can handle all forms of authentication, it will bear more of the authentication load, and easily become overloaded. What if another Windows Server 2019 domain controller is added, but without deploying Windows Hello for Business to any more clients?
+
-Upgrading another Windows Server 2016 domain controller distributes the public key trust authentication across two domain controllers--each supporting 50 percent of the load. But it doesn't change the distribution of password and certificate trust authentication. Both Windows Server 2016 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2016, but the number of WHFB clients remains the same.
+Upgrading another Windows Server 2019 domain controller distributes the public key trust authentication across two domain controllers - each supporting 50 percent of the load. But it doesn't change the distribution of password and certificate trust authentication. Both Windows Server 2019 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2019, but the number of WHFB clients remains the same.
@@ -51,7 +61,7 @@ Domain controllers 1 through 5 now share the public key trust authentication loa
-You'll notice the distribution did not change. Each Windows Server 2016 domain controller handles 20 percent of the public key trust authentication. However, increasing the volume of authentication (by increasing the number of clients) increases the amount of work that is represented by the same 20 percent. In the previous example, 20 percent of public key trust authentication equated to a volume of 20 authentications per domain controller capable of public key trust authentication. However, with upgraded clients, that same 20 percent represents a volume 100 public key trust authentications per public key trust capable domain controller. Also, the distribution of non-public key trust authentication remained at 10 percent, but the volume of password and certificate trust authentication decreased across the older domain controllers.
+You'll notice the distribution did not change. Each Windows Server 2019 domain controller handles 20 percent of the public key trust authentication. However, increasing the volume of authentication (by increasing the number of clients) increases the amount of work that is represented by the same 20 percent. In the previous example, 20 percent of public key trust authentication equated to a volume of 20 authentications per domain controller capable of public key trust authentication. However, with upgraded clients, that same 20 percent represents a volume of 100 public key trust authentications per public key trust capable domain controller. Also, the distribution of non-public key trust authentication remained at 10 percent, but the volume of password and certificate trust authentications decreased across the older domain controllers.
There are several conclusions here:
* Upgrading domain controllers changes the distribution of new authentication, but doesn't change the distribution of older authentication.
@@ -62,6 +72,8 @@ There are several conclusions here:
The preceding was an example to show why it's unrealistic to have a "one-size-fits-all" number to describe what "an adequate amount" means. In the real world, authentication is not evenly distributed across domain controllers.
+
+
## Determining total AS Request load
Each organization needs to have a baseline of the AS request load that occurs in their environment. Windows Server provides the KDC AS Requests performance counter that helps you determine this.
@@ -83,13 +95,15 @@ Add the number of authentications for each domain controller for the median time
Review the distribution of authentication. Hopefully, none of these are above 70 percent. It's always good to reserve some capacity for the unexpected. Also, the primary purposes of a domain controller are to provide authentication and handle Active Directory operations. Identify domain controllers with lower distributions of authentication as potential candidates for the initial domain controller upgrades in conjunction with a reasonable distribution of clients provisioned for Windows Hello for Business.
## Monitoring Authentication
-Using the same methods previously described above, monitor the Kerberos authentication after upgrading a domain controller and your first phase of Windows Hello for Business deployments. Make note of the delta of authentication before and after upgrading the domain controller to Windows Server 2016. This delta is representative of authentication resulting from the first phase of your Windows Hello for Business clients. This gives you a baseline for your environment from which you can form a statement such as
+
+Using the same methods described above, monitor the Kerberos authentication after upgrading a domain controller and your first phase of Windows Hello for Business deployments. Make note of the delta of authentication before and after upgrading the domain controller to Windows Server 2019. This delta is representative of authentication resulting from the first phase of your Windows Hello for Business clients. It gives you a baseline for your environment to where you can form a statement such as:
+
```"Every n Windows Hello for Business clients results in x percentage of key-trust authentication."```
Where _n_ equals the number of clients you switched to Windows Hello for Business and _x_ equals the increased percentage of authentication from the upgraded domain controller. Armed with this information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment.
-Remember, increasing the number of clients changes the volume of authentication distributed across the Windows Server 2016 domain controllers. If there is only one Windows Server 2016 domain controller, there's no distribution and you are simply increasing the volume of authentication for which THAT domain controller is responsible.
+Remember, increasing the number of clients changes the volume of authentication distributed across the Windows Server 2019 domain controllers. If there is only one Windows Server 2019 domain controller, there's no distribution and you are simply increasing the volume of authentication for which THAT domain controller is responsible.
Increasing the number of domain controllers distributes the volume of authentication, but doesn't change it. Therefore, as you add more domain controllers, the burden of authentication, for which each domain controller is responsible, decreases. Upgrading two domain controller changes the distribution to 50 percent. Upgrading three domain controllers changes the distribution to 33 percent, and so on.
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index fc0ae7661b..8d6b7d474a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -151,7 +151,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
### Windows Server 2012 or later Domain Controllers
-Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008R2-domain-controllers) section.
+Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008-r2-domain-controllers) section.
Sign-in the federation server with _domain administrator_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
@@ -382,7 +382,7 @@ $deSCP.Properties["keywords"].Add("enterpriseDrsName:" + $enrollmentService)
$deSCP.CommitChanges()
```
->[!NOTE]
+>[!NOTE]
> You can save the modified script in notepad and save them as "add-scpadfs.ps1" and the way to run it is just navigating into the script path folder and running .\add-scpAdfs.ps1.
>
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
index ec2e495b92..6865d59384 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
@@ -182,7 +182,7 @@ The User Portal and Mobile Application web services need to communicate with the
1. Open **Active Directory Users and Computers**.
2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **User**.
-3. In the **New Object – User** dialog box, type **PFWSDK_** in the **First name** and **User logon name** boxes, where ** is the name of the primary MFA server running the Web Services SDK. Click **Next**.
+3. In the **New Object – User** dialog box, type **PFWSDK_\** in the **First name** and **User logon name** boxes, where *\* is the name of the primary MFA server running the Web Services SDK. Click **Next**.
4. Type a strong password and confirm it in the respective boxes. Clear **User must change password at next logon**. Click **Next**. Click **Finish** to create the user account.
#### Add the MFA SDK user account to the Phonefactor Admins group
@@ -192,7 +192,7 @@ Adding the WebServices SDK user account to the Phonefactor Admins group provides
1. Open **Active Directory Users and Computers**.
2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select **Users**. In the content pane. Right-click the **Phonefactor Admins** security group and select Properties.
3. Click the Members tab.
-4. Click **Add**. Click **Object Types..** Type the PFWSDK_ user name in the **Enter the object names to select** box and then click **OK**.
+4. Click **Add**. Click **Object Types..** Type the PFWSDK_\ user name in the **Enter the object names to select** box and then click **OK**.
* The computer account for the primary MFA Server
* The Webservices SDK user account
* Group or user account that will manage the User Portal server.
@@ -507,7 +507,7 @@ Sign in the primary AD FS server with _local administrator_ equivalent credentia
Sign in the primary AD FS server with _local administrator_ equivalent credentials.
-Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath ` to the end of the `Register-AdfsAuthenticationProvider` command where **** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file.
+Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath ` to the end of the `Register-AdfsAuthenticationProvider` command where **\** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file.
### Run the AD FS Adapter PowerShell cmdlet
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md
index c4ffbeb3a0..58616c9d65 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md
@@ -27,9 +27,6 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
[Hybrid Azure AD joined in Managed environments](#hybrid-azure-ad-joined-in-managed-environments)
[Hybrid Azure AD joined in Federated environments](#hybrid-azure-ad-joined-in-federated-environments)
-
-
-
## Azure AD joined in Managed environments
@@ -44,7 +41,7 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
|G | The application sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client.|
|H | Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the process continues with MDM enrollment.|
-[Return to top](#Windows-Hello-for-Business-and-Device-Registration)
+[Return to top](#windows-hello-for-business-and-device-registration)
## Azure AD joined in Federated environments
@@ -60,7 +57,7 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
|H | The application sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client.|
|I | Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the process continues with MDM enrollment.|
-[Return to top](#Windows-Hello-for-Business-and-Device-Registration)
+[Return to top](#windows-hello-for-business-and-device-registration)
## Hybrid Azure AD joined in Managed environments
@@ -75,7 +72,7 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
|G | The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then updates the device object in Azure Active Directory and sends the device ID and the device certificate to the client.|
|H | Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the task exits.|
-[Return to top](#Windows-Hello-for-Business-and-Device-Registration)
+[Return to top](#windows-hello-for-business-and-device-registration)
## Hybrid Azure AD joined in Federated environments
@@ -89,4 +86,4 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
|F | The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client. Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the task exits.|
|G | If Azure AD Connect device write-back is enabled, Azure AD Connect requests updates from Azure Active Directory at its next synchronization cycle (device write-back is required for hybrid deployment using certificate trust). Azure Active Directory correlates the device object with a matching synchronized computer object. Azure AD Connect receives the device object that includes the object GUID and computer SID and writes the device object to Active Directory.|
-[Return to top](#Windows-Hello-for-Business-and-Device-Registration)
+[Return to top](#windows-hello-for-business-and-device-registration)
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index 0492d0e9fc..a3ff61d617 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -85,7 +85,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
| A | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA services provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.
Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
| B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv). |
| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application, which represents the end of user key registration. |
-| D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.
The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys. |
+| D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.
The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentialsLink for a list of registered public keys. |
| E | The registration authority validates the public key in the certificate request matches a registered key for the user.
If the public key in the certificate is not found in the list of registered public keys, certificate enrollment is deferred until Phase F completes. The application is informed of the deferment and exits to the user's desktop. The automatic certificate enrollment client triggers the Azure AD Web Account Manager plug-in to retry the certificate enrollment at 24, 85, 145, 205, 265, and 480 minutes after phase C successfully completes. The user must remain signed in for automatic certificate enrollment to trigger certificate enrollment. If the user signs out, automatic certificate enrollment is triggered approximately 30 minutes after the user's next sign in.
After validating the public key, the registration authority signs the certificate request using its enrollment agent certificate. |
| G | The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application. |
| H | The application receives the newly issued certificate and installs the it into the Personal store of the user. This signals the end of provisioning. |
@@ -105,7 +105,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
| A | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA services provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.
Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
| B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv). |
| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID and a key receipt to the application, which represents the end of user key registration. |
-| D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.
The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys. |
+| D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.
The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentialsLink for a list of registered public keys. |
| E | The registration authority validates the public key in the certificate request matches a registered key for the user.
If the public key in the certificate is not found in the list of registered public keys, it then validates the key receipt to confirm the key was securely registered with Azure.
After validating the key receipt or public key, the registration authority signs the certificate request using its enrollment agent certificate. |
| F | The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application. |
| G | The application receives the newly issued certificate and installs the it into the Personal store of the user. This signals the end of provisioning. |
@@ -124,7 +124,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
| A | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
In a federated environment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services. The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA services (or a third party MFA service) provides the second factor of authentication.
The on-premises STS server issues a enterprise token on successful MFA. The application sends the token to Azure Active Directory.
Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
| B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv). |
| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID and a key receipt to the application, which represents the end of user key registration. |
-| D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.
The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys. |
+| D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.
The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentialsLink for a list of registered public keys. |
| E | The registration authority validates the public key in the certificate request matches a registered key for the user.
If the public key in the certificate is not found in the list of registered public keys, it then validates the key receipt to confirm the key was securely registered with Azure.
After validating the key receipt or public key, the registration authority signs the certificate request using its enrollment agent certificate. |
| F | The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application. |
| G | The application receives the newly issued certificate and installs the it into the Personal store of the user. This signals the end of provisioning. |
@@ -152,7 +152,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services. The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA server (or a third party MFA service) provides the second factor of authentication.
The on-premises STS server issues a enterprise DRS token on successful MFA.|
| B| After receiving a EDRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
|C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration. Enterprise DRS validates the MFA claim remains current. On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.|
-|D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.
The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys.|
+|D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.
The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentialsLink for a list of registered public keys.|
|E | The registration authority validates the public key in the certificate request matches a registered key for the user.
After validating the public key, the registration authority signs the certificate request using its enrollment agent certificate.|
|F |The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.|
|G | The application receives the newly issued certificate and installs it into the Personal store of the user. This signals the end of provisioning.|
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
index ca78d68e98..ef7fb31fff 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
@@ -22,9 +22,9 @@ ms.reviewer:
- Windows 10
Windows Hello for Business authentication works through collection of components and infrastructure working together. You can group the infrastructure and components in three categories:
-- [Registration](#Registration)
-- [Provisioning](#Provisioning)
-- [Authentication](#Authentication)
+- [Registration](#registration)
+- [Provisioning](#provisioning)
+- [Authentication](#authentication)
## Registration
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index fbb7791800..24f1ffb00b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -90,7 +90,7 @@ Steps you will perform include:
- [Configure Internet Information Services to host CRL distribution point](#configure-internet-information-services-to-host-crl-distribution-point)
- [Prepare a file share to host the certificate revocation list](#prepare-a-file-share-to-host-the-certificate-revocation-list)
-- [Configure the new CRL distribution point in the issuing certificate authority](#Configure-the-new-crl-distribution-point-in-the-issuing-certificate-authority)
+- [Configure the new CRL distribution point and Publishing location in the issuing certificate authority](#configure-the-new-crl-distribution-point-and-publishing-location-in-the-issuing-certificate-authority)
- [Publish CRL](#publish-a-new-crl)
- [Reissue domain controller certificates](#reissue-domain-controller-certificates)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index 4dc8b49caf..8a74c77ed5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -29,6 +29,9 @@ Your environment is federated and you are ready to configure device registration
> [!IMPORTANT]
> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment.
+>[!TIP]
+>Refer to the [Tutorial: Configure hybrid Azure Active Directory join for federated domains](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-federated-domains) to learn more about setting up Azure Active Directory Connect for a simplified join flow for Azure AD device registration.
+
Use this three-phased approach for configuring device registration.
1. [Configure devices to register in Azure](#configure-azure-for-device-registration)
2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-synchronization)
@@ -42,6 +45,9 @@ Use this three-phased approach for configuring device registration.
>
> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](https://docs.microsoft.com/azure/active-directory/device-management-introduction)
+>[!IMPORTANT]
+> To use hybrid identity with Azure Active Directory and device WriteBack features, you must use the built-in GUI with the [latest updates for ADConnect](https://www.microsoft.com/download/details.aspx?id=47594).
+
## Configure Azure for Device Registration
Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD.
@@ -66,7 +72,7 @@ To locate the schema master role holder, open and command prompt and type:
-The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role.
+The command should return the name of the domain controller where you need to run adprep.exe. Update the schema locally on the domain controller hosting the Schema master role.
#### Updating the Schema
@@ -130,7 +136,6 @@ If your AD FS farm is not already configured for Device Authentication (you can
The above PSH creates the following objects:
-
- RegisteredDevices container under the AD domain partition
- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration
- Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration
@@ -278,7 +283,8 @@ The definition helps you to verify whether the values are present or if you need
**`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added.
- @RuleName = "Issue account type with the value User when its not a computer"
+ @RuleName = "Issue account type with the value User when it is not a computer"
+
NOT EXISTS(
[
Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
@@ -473,6 +479,7 @@ The following script helps you with the creation of the issuance transform rules
Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:MicrosoftOnline -IssuanceTransformRules $crSet.ClaimRulesString
+
#### Remarks
- This script appends the rules to the existing rules. Do not run the script twice because the set of rules would be added twice. Make sure that no corresponding rules exist for these claims (under the corresponding conditions) before running the script again.
@@ -512,7 +519,6 @@ For your reference, below is a comprehensive list of the AD DS devices, containe
> [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
-
## Follow the Windows Hello for Business hybrid certificate trust deployment guide
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 4e0e71aa57..eaf63601ae 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -66,6 +66,9 @@ After a successful key registration, Windows creates a certificate request using
The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
+> [!NOTE]
+> In order for AD FS to verify the key used in the certificate request, it needs to be able to access the https://enterpriseregistration.windows.net endpoint.
+
The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user’s certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Windows Action Center.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index d3ab610a58..c4d3011a16 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -28,6 +28,9 @@ The Windows Server 2016 Active Directory Federation Server Certificate Registrat
The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate.
+> [!NOTE]
+> In order for AD FS to verify user certificate requests for Windows Hello for Business, it needs to be able to access the https://enterpriseregistration.windows.net endpoint.
+
### Configure the Registration Authority
Sign-in the AD FS server with *Domain Admin* equivalent credentials.
@@ -36,7 +39,7 @@ Sign-in the AD FS server with *Domain Admin* equivalent credentials.
2. Type the following command
```PowerShell
- Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication
+ Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication -WindowsHelloCertificateProxyEnabled $true
```
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index 6e3126b3c7..3a8ba5db87 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -55,7 +55,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
8. Close the console.
-#### Configure Certificate Suspeding for the Domain Controller Authentication (Kerberos) Certificate Template
+#### Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template
Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers--the domain controller certificate template. Later releases provided a new certificate template--the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension.
@@ -77,6 +77,9 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
+>[!NOTE]
+>The Domain Controller Certificate must be present in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store. If you are using a 3rd party CA, this may not be done by default. If the Domain Controller Certificate is not present in the NTAuth store, user authentication will fail.
+
### Enrollment Agent certificate template
Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate life-cycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts.
@@ -183,6 +186,7 @@ Sign-in to the certificate authority or management workstation with _Enterprise
4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window.
5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates.
+
### Section Review
> [!div class="checklist"]
> * Domain Controller certificate template
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index b826287e64..c8c3fee1a5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -29,14 +29,14 @@ Windows Hello for Business involves configuring distributed technologies that ma
* [Active Directory](#active-directory)
* [Public Key Infrastructure](#public-key-infrastructure)
* [Azure Active Directory](#azure-active-directory)
-* [Active Directory Federation Services](#active-directory-federation-services)
+* [Multifactor Authentication Services](#multifactor-authentication-services)
New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your existing environment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If your environment meets these needs, you can read the [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) section to prepare your Windows Hello for Business deployment by configuring directory synchronization.
The new installation baseline begins with a basic Active Directory deployment and enterprise PKI.
-## Active Directory ##
+## Active Directory
This document expects you have Active Directory deployed with an _adequate_ number of Windows Server 2016 domain controllers for each site. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
Lab environments and isolated proof of concepts may want to limit the number of domain controllers. The purpose of these environments is to experiment and learn. Reducing the number of domain controllers can prevent troubleshooting issue, such as Active Directory replication, which is unrelated to activity's goal.
@@ -83,7 +83,7 @@ If you do not have an existing public key infrastructure, please review [Certifi
> * Install the root certificate authority certificate for your organization in the user's trusted root certificate store.
> * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based URL.
-### Section Review ###
+### Section Review
> [!div class="checklist"]
> * Minimum Windows Server 2012 Certificate Authority.
@@ -92,7 +92,7 @@ If you do not have an existing public key infrastructure, please review [Certifi
> * Root certificate authority certificate (Azure AD Joined devices).
> * Highly available certificate revocation list (Azure AD Joined devices).
-## Azure Active Directory ##
+## Azure Active Directory
You’ve prepared your Active Directory. Hybrid Windows Hello for Business deployment needs Azure Active Directory to host your cloud-based identities.
The next step of the deployment is to follow the [Creating an Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/active-directory-howto-tenant) process to provision an Azure tenant for your organization.
@@ -104,12 +104,13 @@ The next step of the deployment is to follow the [Creating an Azure AD tenant](h
> * Create an Azure Active Directory Tenant.
> * Purchase the appropriate Azure Active Directory subscription or licenses, if necessary.
-## Multifactor Authentication Services ##
+## Multifactor Authentication Services
Windows Hello for Business uses multifactor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN. There are two preferred multifactor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA or a third-party MFA adapter
Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works.
-### Azure Multi-Factor Authentication (MFA) Cloud ###
+### Azure Multi-Factor Authentication (MFA) Cloud
+
> [!IMPORTANT]
> As long as your users have licenses that include Azure Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis. The licenses that enable Azure MFA are:
> * Azure Multi-Factor Authentication
@@ -118,16 +119,16 @@ Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.co
>
> If you have one of these subscriptions or licenses, skip the Azure MFA Adapter section.
-#### Azure MFA Provider ####
+#### Azure MFA Provider
If your organization uses Azure MFA on a per-consumption model (no licenses), then review the [Create a Multifactor Authentication Provider](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider) section to create an Azure MFA Authentication provider and associate it with your Azure tenant.
-#### Configure Azure MFA Settings ####
+#### Configure Azure MFA Settings
Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings.
-#### Azure MFA User States ####
+#### Azure MFA User States
After you have completed configuring your Azure MFA settings, you want to review configure [User States](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users.
-### Azure MFA via ADFS ###
+### Azure MFA via ADFS
Alternatively, you can configure Windows Server 2016 Active Directory Federation Services (AD FS) to provide additional multi-factor authentication. To configure, read the [Configure AD FS 2016 and Azure MFA](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa) section.
### Section Review
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index 07bcd4e0ba..d1342ab11f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -28,13 +28,14 @@ Hybrid environments are distributed systems that enable organizations to use on-
The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include:
* [Directories](#directories)
-* [Public Key Infrastructure](#public-key-infastructure)
+* [Public Key Infrastructure](#public-key-infrastructure)
* [Directory Synchronization](#directory-synchronization)
-* [Federation](#federation)
+* [Federation](#federation-with-azure)
* [MultiFactor Authentication](#multifactor-authentication)
* [Device Registration](#device-registration)
-## Directories ##
+## Directories
+
Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2.
A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, does not need a premium Azure Active Directory subscription.
@@ -43,7 +44,7 @@ You can deploy Windows Hello for Business in any environment with Windows Server
Review these requirements and those from the Windows Hello for Business planning guide and worksheet. Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs.
-### Section Review ###
+### Section Review
> [!div class="checklist"]
> * Active Directory Domain Functional Level
@@ -54,7 +55,7 @@ Review these requirements and those from the Windows Hello for Business planning
-## Public Key Infrastructure ##
+## Public Key Infrastructure
The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller.
Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object.
@@ -65,7 +66,7 @@ The minimum required enterprise certificate authority that can be used with Wind
* Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name).
* The certificate Key Usage section must contain Digital Signature and Key Encipherment.
* Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None].
-* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2) and Server Authentication (1.3.6.1.5.5.7.3.1).
+* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5).
* The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name.
* The certificate template must have an extension that has the BMP data value "DomainController".
* The domain controller certificate must be installed in the local computer's certificate store.
@@ -83,7 +84,8 @@ The minimum required enterprise certificate authority that can be used with Wind
-## Directory Synchronization ##
+## Directory Synchronization
+
The two directories used in hybrid deployments must be synchronized. You need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory.
Organizations using older directory synchronization technology, such as DirSync or Azure AD sync need to upgrade to Azure AD Connect.
@@ -96,17 +98,20 @@ Organizations using older directory synchronization technology, such as DirSync
-## Federation with Azure ##
-You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) beginning with Windows Server 2012 R2.
+## Federation with Azure
+
+You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/hybrid/whatis-phs) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) beginning with Windows Server 2012 R2.
+
+### Section Review
-### Section Review ###
> [!div class="checklist"]
> * Non-federated environments
> * Federated environments
-## Multifactor Authentication ##
+## Multifactor Authentication
+
Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication.
Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD.
@@ -119,17 +124,20 @@ Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Auth
-## Device Registration ##
+## Device Registration
+
Organizations wanting to deploy hybrid key trust need their domain joined devices to register to Azure Active Directory. Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud. This ensures that only approved computers are used with that Azure Active Directory. Each computer registers its identity in Azure Active Directory.
-### Section Checklist ###
+### Section Checklist
+
> [!div class="checklist"]
> * Device Registration with Azure Device Registration
-### Next Steps ###
+### Next Steps
+
Follow the Windows Hello for Business hybrid key trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Baseline**.
For environments transitioning from on-premises to hybrid, start with **Configure Azure Directory Synchronization**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
index 0c6d6de655..bda944c54a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
@@ -77,6 +77,8 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
+>[!NOTE]
+>The Domain Controller Certificate must be present in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store. If you are using a 3rd party CA, this may not be done by default. If the Domain Controller Certificate is not present in the NTAuth store, user authentication will fail.
### Publish Certificate Templates to a Certificate Authority
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
index 969530cb43..161f924588 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
@@ -67,6 +67,9 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO�**
3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**.
+>[!IMPORTANT]
+>If you don't find options in GPO, you have to load the [PolicyDefinitions folder](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra).
+
### Windows Hello for Business Group Policy
The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index 83bb883504..ba1e004510 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -26,7 +26,7 @@ Windows Hello addresses the following problems with passwords:
- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
- Server breaches can expose symmetric network credentials (passwords).
- Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673).
-- Users can inadvertently expose their passwords due to [phishing attacks](https://go.microsoft.com/fwlink/p/?LinkId=615674).
+- Users can inadvertently expose their passwords due to [phishing attacks](https://docs.microsoft.com/windows/security/threat-protection/intelligence/phishing).
>[!div class="mx-tdBreakAll"]
>| | | |
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index 13cf3b5a0e..0c493ddc5d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -150,7 +150,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
### Windows Server 2016, 2012 R2 or later Domain Controllers
-Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008R2-domain-controllers) section.
+Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008-r2-domain-controllers) section.
Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
1. Start **Server Manager**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
index fd1a237822..eb46ba61fe 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
@@ -174,7 +174,7 @@ Update the server using Windows Update until the server has no required or optio
#### Configure the IIS Server’s Certificate
-To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-server’s-certificate) section.
+To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-servers-certificate) section.
#### Create WebServices SDK user account
@@ -182,7 +182,7 @@ The User Portal and Mobile Application web services need to communicate with the
1. Open **Active Directory Users and Computers**.
2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **User**.
-3. In the **New Object – User** dialog box, type **PFWSDK_** in the **First name** and **User logon name** boxes, where ** is the name of the primary MFA server running the Web Services SDK. Click **Next**.
+3. In the **New Object – User** dialog box, type **PFWSDK_\** in the **First name** and **User logon name** boxes, where *\* is the name of the primary MFA server running the Web Services SDK. Click **Next**.
4. Type a strong password and confirm it in the respective boxes. Clear **User must change password at next logon**. Click **Next**. Click **Finish** to create the user account.
#### Add the MFA SDK user account to the Phonefactor Admins group
@@ -192,7 +192,7 @@ Adding the WebServices SDK user account to the Phonefactor Admins group provides
1. Open **Active Directory Users and Computers**.
2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select **Users**. In the content pane. Right-click the **Phonefactors Admin** security group and select Properties.
3. Click the Members tab.
-4. Click **Add**. Click **Object Types..** Type the PFWSDK_ user name in the **Enter the object names to select** box and then click **OK**.
+4. Click **Add**. Click **Object Types..** Type the PFWSDK_\ user name in the **Enter the object names to select** box and then click **OK**.
* The computer account for the primary MFA Server
* The Webservices SDK user account
* Group or user account that will manage the User Portal server.
@@ -507,7 +507,7 @@ Sign in the primary AD FS server with _local administrator_ equivalent credentia
Sign in the primary AD FS server with _local administrator_ equivalent credentials.
-Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath ` to the end of the `Register-AdfsAuthenticationProvider` command where **** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file.
+Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath ` to the end of the `Register-AdfsAuthenticationProvider` command where **\** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file.
### Run the AD FS Adapter PowerShell cmdlet
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index c154697610..e9c7937ed9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -294,7 +294,7 @@ The following table lists the MDM policy settings that you can configure for Win
|
->[!NOTE]
+>[!NOTE]
> If policy is not configured to explicitly require letters or special characters, users will be restricted to creating a numeric PIN.
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index d7b76ad3f5..cd6424eb47 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -53,9 +53,9 @@ Windows stores biometric data that is used to implement Windows Hello securely o
## The difference between Windows Hello and Windows Hello for Business
-- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it is set up, however it is not backed by asymmetric (public/private key) or certificate-based authentication.
+- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it is set up, but can use a simple password hash depending on an individual's account type. This configuration is referred to as Windows Hello convenience PIN and it is not backed by asymmetric (public/private key) or certificate-based authentication.
-- Windows Hello for Business, which is configured by Group Policy or mobile device management (MDM) policy, uses key-based or certificate-based authentication.
+- **Windows Hello for Business**, which is configured by Group Policy or mobile device management (MDM) policy, always uses key-based or certificate-based authentication. This makes it much more secure than **Windows Hello convenience PIN**.
## Benefits of Windows Hello
@@ -95,7 +95,6 @@ For details, see [How Windows Hello for Business works](hello-how-it-works.md).
Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Windows Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Windows Hello but still use certificates on their domain controllers as a root of trust.
-
## Learn more
[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/en-us/itshowcase/implementing-windows-hello-for-business-at-microsoft)
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index cca50b7fcd..97ceac8319 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -247,7 +247,7 @@ If you use modern management for both domain and non-domain joined devices, writ
Windows Hello for Business is a feature exclusive to Windows 10. Some deployments and features are available using earlier versions of Windows 10. Others need the latest versions.
If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **3a** on your planning worksheet. Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage non-domain joined devices.
->[!NOTE]
+>[!NOTE]
>Azure Active Directory joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings. Use modern management to adjust policy settings to match the business needs of your organization.
Write **1511 or later** in box **3a** on your planning worksheet if any of the following are true.
diff --git a/windows/security/identity-protection/hello-for-business/reset-security-key.md b/windows/security/identity-protection/hello-for-business/reset-security-key.md
index b9cdc2e5ae..0cfc09e68c 100644
--- a/windows/security/identity-protection/hello-for-business/reset-security-key.md
+++ b/windows/security/identity-protection/hello-for-business/reset-security-key.md
@@ -24,7 +24,7 @@ ms.reviewer:
>This operation will wipe everything from your security key and reset it to factory defaults. **All data and credentials will be cleared.**
-A [Microsoft-compatible security key](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key) can be reset via Settings app ( Settings > Accounts > Sign-in options > Security key ).
+A [Microsoft-compatible security key](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key) can be reset via Settings app ( Settings > Accounts > Sign-in options > Security key ).
Follow the instructions in the Settings app and look for specific instructions based on your security key manufacturer below:
diff --git a/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md b/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md
index c4d3f73cb4..a181ec72c9 100644
--- a/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md
+++ b/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md
@@ -31,7 +31,7 @@ Certificates in Windows 10 Mobile are primarily used for the following purposes
- For installation and licensing of applications (from the Windows Phone Store or a custom company distribution site).
->[!WARNING]
+>[!WARNING]
>In Windows 10, Version 1607, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. [Learn more about this known issue in Version 1607](https://go.microsoft.com/fwlink/p/?LinkId=786764)
## Install certificates using Microsoft Edge
@@ -45,6 +45,7 @@ The Windows 10 Mobile certificate installer supports .cer, .p7b, .pem, and .pfx
## Install certificates using mobile device management (MDM)
Windows 10 Mobile supports root, CA, and client certificate to be configured via MDM. Using MDM, an administrator can directly add, delete, or query root and CA certificates, and configure the device to enroll a client certificate with a certificate enrollment server that supports Simple Certificate Enrollment Protocol (SCEP). SCEP enrolled client certificates are used by Wi-Fi, VPN, email, and browser for certificate-based client authentication. An MDM server can also query and delete SCEP enrolled client certificate (including user installed certificates), or trigger a new enrollment request before the current certificate is expired.
+
>[!WARNING]
>Do not use SCEP for encryption certificates for S/MIME. You must use a PFX certificate profile to support S/MIME on Windows 10 Mobile. For instructions on creating a PFX certificate profile in Microsoft Intune, see [Enable access to company resources using certificate profiles with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkID=718216).
@@ -72,5 +73,4 @@ Windows 10 Mobile supports root, CA, and client certificate to be configured vi
## Related topics
-[Configure S/MIME](configure-s-mime.md)
-
+[Configure S/MIME](configure-s-mime.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index 10a0b0a26c..33bbc7b730 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -82,7 +82,7 @@ Credential providers must be registered on a computer running Windows, and they
## Smart card subsystem architecture
-Vendors provide smart cards and smart card readers, and in many cases the vendors are different for the smart card and the smart card reader. Drivers for smart card readers are written to the [Personal Computer/Smart Card (PC/SC) standard](https://www.pcscworkgroup.com/). Each smart card must have a Credential Service Provider (CSP) that uses the CryptoAPI interfaces to enable cryptographic operations, and the WinSCard APIs to enable communications with smart card hardware.
+Vendors provide smart cards and smart card readers, and in many cases the vendors are different for the smart card and the smart card reader. Drivers for smart card readers are written to the [Personal Computer/Smart Card (PC/SC) standard](https://www.pcscworkgroup.com/). Each smart card must have a Cryptographic Service Provider (CSP) that uses the CryptoAPI interfaces to enable cryptographic operations, and the WinSCard APIs to enable communications with smart card hardware.
### Base CSP and smart card minidriver architecture
@@ -334,7 +334,7 @@ The following properties are supported in versions of Windows designated in the
### Implications for CSPs in Windows
-Credential Service Providers (CSPs), including custom smart card CSPs, continue to be supported but this approach is not recommended. Using the existing Base CSP and smart card KSP with the smart card minidriver model for smart cards provides significant benefits in terms of performance, and PIN and data caching. One minidriver can be configured to work under CryptoAPI and CNG layers. This provides benefits from enhanced cryptographic support, including elliptic curve cryptography and AES.
+Cryptographic Service Providers (CSPs), including custom smart card CSPs, continue to be supported but this approach is not recommended. Using the existing Base CSP and smart card KSP with the smart card minidriver model for smart cards provides significant benefits in terms of performance, and PIN and data caching. One minidriver can be configured to work under CryptoAPI and CNG layers. This provides benefits from enhanced cryptographic support, including elliptic curve cryptography and AES.
If a smart card is registered by a CSP and a smart card minidriver, the one that was installed most recently will be used to communicate with the smart card.
diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
index 5c4e5fc232..701083c55c 100644
--- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
+++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
@@ -31,7 +31,7 @@ This guide explains how credential theft attacks occur and the strategies and co
- Respond to suspicious activity
- Recover from a breach
-
+
## Attacks that steal credentials
diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
index 26fd5e8431..144180cd40 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
@@ -39,7 +39,7 @@ For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-sett
The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the C: drive to AD DS, you would use the following command from an elevated command prompt: **manage-bde -protectors -adbackup C:**.
-> [!IMPORTANT]
+> [!IMPORTANT]
> Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).
## Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup?
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
index 2a808c73fa..e3226ec136 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -1713,7 +1713,7 @@ In **Configure user storage of BitLocker recovery information**, select whether
Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you cannot specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting.
-In **Save BitLocker recovery information to Active Directory Doman Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS.
+In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS.
Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, you can use the **Repair-bde** command-line tool. If you select **Backup recovery password only**, only the recovery password is stored in AD DS.
For more information about the BitLocker repair tool, see [Repair-bde](https://technet.microsoft.com/library/ff829851.aspx).
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
index a5e58c1e6b..8dd40cf580 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -101,7 +101,7 @@ To install the role using Windows PowerShell, use the following command:
Install-WindowsFeature WDS-Deployment
```
-You must configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Doman Services) and the client computer. You can do using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration Wizard.
+You must configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Domain Services) and the client computer. You can do using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration Wizard.
###
Confirm the WDS Service is running
diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md
index 349af8295f..fa1f49ee5d 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md
@@ -58,7 +58,7 @@ For older hardware, where a PIN may be needed, it’s recommended to enable [enh
BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
-> [!IMPORTANT]
+> [!IMPORTANT]
> Store the recovery information in AD DS, along with your Microsoft Account, or another safe location.
## Can the USB flash drive that is used as the startup key also be used to store the recovery key?
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
index 8775e52fb9..b89ced627d 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -22,6 +22,10 @@ The ideal for BitLocker management is to eliminate the need for IT admins to set
Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for different types of computers.
+
+>[!IMPORTANT]
+> Microsoft BitLocker Administration and Monitoring (MBAM) capabilities will be offered from [SCCM in on-prem scenarios](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/viewing-mbam-25-reports-for-the-configuration-manager-integration-topology) in the future.
+
## Managing domain-joined computers and moving to cloud
Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx).
@@ -46,7 +50,7 @@ For Windows PCs and Windows Phones that enroll using **Connect to work or school
## Managing servers
-Servers are often installed, configured, and deployed using PowerShell, so the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#a-href-idbkmk-blcmdletsabitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server, so follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC.
+Servers are often installed, configured, and deployed using PowerShell, so the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server, so follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC.
The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-core) installation, you must add the necessary GUI components first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](https://blogs.technet.microsoft.com/server_core/2012/11/05/using-features-on-demand-with-updated-systems-and-patched-images/) and [How to update local source media to add roles and features](https://blogs.technet.microsoft.com/joscon/2012/11/14/how-to-update-local-source-media-to-add-roles-and-features/).
@@ -132,9 +136,11 @@ PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpace
-
-**Powershell**
-[BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#a-href-idbkmk-blcmdletsabitlocker-cmdlets-for-windows-powershell)
+
+
+# **PowerShell**
+
+[BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell)
[Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md
index 054d1aedf7..dd0439236b 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md
@@ -40,7 +40,7 @@ Yes, BitLocker supports multifactor authentication for operating system drives.
For requirements, see [System requirements](bitlocker-overview.md#system-requirements).
-> [!NOTE]
+> [!NOTE]
> Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it is cannot be protected by BitLocker.
## Why are two partitions required? Why does the system drive have to be so large?
diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
index 0a3788fac9..a12e4c3b02 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
@@ -39,6 +39,6 @@ BitLocker on operating system drives in its basic configuration (with a TPM but
Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually are not as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming.
-> [!NOTE]
+> [!NOTE]
> Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
index db58b1db22..de4112e3d5 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
@@ -40,6 +40,6 @@ Users need to suspend BitLocker for Non-Microsoft software updates, such as:
- TPM firmware updates
- Non-Microsoft application updates that modify boot components
-> [!NOTE]
+> [!NOTE]
> If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
index a8069a69e9..8c25c57e76 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
@@ -78,7 +78,7 @@ Limited BitLocker functionality is available in Safe Mode. BitLocker-protected d
Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the –lock command.
-> [!NOTE]
+> [!NOTE]
> Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible.
The syntax of this command is:
diff --git a/windows/security/information-protection/encrypted-hard-drive.md b/windows/security/information-protection/encrypted-hard-drive.md
index aa97e1a83e..cf637532f1 100644
--- a/windows/security/information-protection/encrypted-hard-drive.md
+++ b/windows/security/information-protection/encrypted-hard-drive.md
@@ -41,7 +41,7 @@ Encrypted Hard Drives are supported natively in the operating system through the
- **API**: API support for applications to manage Encrypted Hard Drives independently of BitLocker Drive Encryption (BDE)
- **BitLocker support**: Integration with the BitLocker Control Panel provides a seamless BitLocker end user experience.
->[!WARNING]
+>[!WARNING]
>Self-Encrypting Hard Drives and Encrypted Hard Drives for Windows are not the same type of device. Encrypted Hard Drives for Windows require compliance for specific TCG protocols as well as IEEE 1667 compliance; Self-Encrypting Hard Drives do not have these requirements. It is important to confirm the device type is an Encrypted Hard Drive for Windows when planning for deployment.
If you are a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](https://msdn.microsoft.com/library/windows/hardware/dn653989.aspx).
@@ -63,7 +63,7 @@ For an Encrypted Hard Drive used as a **startup drive**:
- The computer must have the Compatibility Support Module (CSM) disabled in UEFI.
- The computer must always boot natively from UEFI.
->[!WARNING]
+>[!WARNING]
>All Encrypted Hard Drives must be attached to non-RAID controllers to function properly.
## Technical overview
@@ -83,9 +83,9 @@ Configuration of Encrypted Hard Drives as startup drives is done using the same
There are three related Group Policy settings that help you manage how BitLocker uses hardware-based envryption and which encryption algorithms to use. If these settings are not configured or disabled on systems that are equipped with encrypted drives, BitLocker uses software-based encryption:
-- [Configure use of hardware-based encryption for fixed data drives](bitlocker/bitlocker-group-policy-settings.md#a-href-idbkmk-hdefxdaconfigure-use-of-hardware-based-encryption-for-fixed-data-drives)
-- [Configure use of hardware-based encryption for removable data drives](bitlocker/bitlocker-group-policy-settings.md#a-href-idbkmk-hderddaconfigure-use-of-hardware-based-encryption-for-removable-data-drives)
-- [Configure use of hardware-based encryption for operating system drives](bitlocker/bitlocker-group-policy-settings.md#a-href-idbkmk-hdeosdaconfigure-use-of-hardware-based-encryption-for-operating-system-drives)
+- [Configure use of hardware-based encryption for fixed data drives](bitlocker/bitlocker-group-policy-settings.md#bkmk-hdefxd)
+- [Configure use of hardware-based encryption for removable data drives](bitlocker/bitlocker-group-policy-settings.md#configure-use-of-hardware-based-encryption-for-removable-data-drives)
+- [Configure use of hardware-based encryption for operating system drives](bitlocker/bitlocker-group-policy-settings.md#configure-use-of-hardware-based-encryption-for-operating-system-drives)
## Encrypted Hard Drive Architecture
@@ -107,4 +107,4 @@ Many Encrypted Hard Drive devices come pre-configured for use. If reconfiguratio
1. Open Disk Management (diskmgmt.msc)
2. Initialize the disk and select the appropriate partition style (MBR or GPT)
3. Create one or more volumes on the disk.
-4. Use the BitLocker setup wizard to enable BitLocker on the volume.
+4. Use the BitLocker setup wizard to enable BitLocker on the volume.
\ No newline at end of file
diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
index a251c95b5e..7f618aa9ba 100644
--- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
@@ -43,7 +43,7 @@ It is important to note that this binding to PCR values also includes the hashin
## What happens when PCR banks are switched?
-When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. For the same input, each hash algorithm will return a different cryptographic signature for the same inputs.
+When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. Each hash algorithm will return a different cryptographic signature for the same inputs.
As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR banks to SHA-256, the banks wouldn’t match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows 10 will not be able to unseal it if the PCR banks are switched while BitLocker is enabled.
diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md
index c808dfe356..b058f905a9 100644
--- a/windows/security/information-protection/tpm/tpm-recommendations.md
+++ b/windows/security/information-protection/tpm/tpm-recommendations.md
@@ -70,7 +70,9 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
> [!NOTE]
-> TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
+> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
+
+> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](https://docs.microsoft.com/en-us/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI.
## Discrete, Integrated or Firmware TPM?
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
index 1478ec896f..c3f0286d24 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
@@ -89,11 +89,11 @@ Some things that you can check on the device are:
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
- [Details on the TPM standard](https://www.microsoft.com/en-us/research/project/the-trusted-platform-module-tpm/) (has links to features using TPM)
-- [TPM Base Services Portal](https://docs.microsoft.com/en-us/windows/desktop/TBS/tpm-base-services-portal)
-- [TPM Base Services API](https://docs.microsoft.com/en-us/windows/desktop/api/_tbs/)
+- [TPM Base Services Portal](https://docs.microsoft.com/windows/desktop/TBS/tpm-base-services-portal)
+- [TPM Base Services API](https://docs.microsoft.com/windows/desktop/api/_tbs/)
- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule)
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations)
-- [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/en-us/blog/device-provisioning-identity-attestation-with-tpm/)
-- [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/en-us/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/)
+- [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/blog/device-provisioning-identity-attestation-with-tpm/)
+- [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/)
- [Windows 10: Enabling vTPM (Virtual TPM)](https://social.technet.microsoft.com/wiki/contents/articles/34431.windows-10-enabling-vtpm-virtual-tpm.aspx)
- [How to Multiboot with Bitlocker, TPM, and a Non-Windows OS](https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx)
diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
index d251a04493..dff04d8807 100644
--- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
+++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
@@ -165,7 +165,7 @@ Use Windows Event Forwarding to collect and aggregate your WIP audit events. You
2. In the console tree under **Application and Services Logs\Microsoft\Windows**, click **EDP-Audit-Regular** and **EDP-Audit-TCB**.
## Collect WIP audit logs using Azure Monitor
-You can collect audit logs using Azure Monitor. See [Windows event log data sources in Azure Monitor.](https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs)
+You can collect audit logs using Azure Monitor. See [Windows event log data sources in Azure Monitor.](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs)
**To view the WIP events in Azure Monitor**
1. Use an existing or create a new Log Analytics workspace.
@@ -179,7 +179,7 @@ You can collect audit logs using Azure Monitor. See [Windows event log data sour
>[!NOTE]
>If using Windows Events Logs, the event log names can be found under Properties of the event in the Events folder (Application and Services Logs\Microsoft\Windows, click EDP-Audit-Regular and EDP-Audit-TCB).
-3. Download Microsoft [Monitoring Agent](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows#install-the-agent-using-dsc-in-azure-automation).
+3. Download Microsoft [Monitoring Agent](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#install-the-agent-using-dsc-in-azure-automation).
4. To get MSI for Intune installation as stated in the Azure Monitor article, extract: MMASetup-.exe /c /t:
Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary key. More information on Workspace ID and Primary key can be found in **Log Analytics** > **Advanced Settings**.
diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
index 2636b5b98e..7bde4e34bf 100644
--- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
@@ -90,7 +90,7 @@ It's possible that you might revoke data from an unenrolled device only to later
To start Robocopy in S mode, open Task Manager. Click **File** > **Run new task**, type the command, and click **Create this task with administrative privileges**.
- 
+ 
If the employee performed a clean installation and there is no user profile, you need to recover the keys from the System Volume folder in each drive. Type:
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 00d2cad395..47cc545f94 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -97,7 +97,7 @@ Select **Store apps**, type the app product name and publisher, and click **OK**
- **Publisher**: `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
- **Product Name**: `Microsoft.MicrosoftPowerBIForWindows`
-
+
To add multiple Store apps, click the ellipsis **…**.
@@ -565,7 +565,7 @@ After you create and deploy your WIP policy to your employees, Windows begins to
## Choose your optional WIP-related settings
After you've decided where your protected apps can access enterprise data on your network, you can choose optional settings.
-
+
**Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index af4c35b94e..441e6d2b75 100644
--- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -71,7 +71,7 @@ Microsoft has made a concerted effort to enlighten several of our more popular a
- Microsoft Remote Desktop
->[!NOTE]
+>[!NOTE]
>Microsoft Visio and Microsoft Project are not enlightended apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioining.
## List of WIP-work only apps from Microsoft
diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md
index c65af63ce9..6edaaf0f7d 100644
--- a/windows/security/information-protection/windows-information-protection/wip-learning.md
+++ b/windows/security/information-protection/windows-information-protection/wip-learning.md
@@ -1,88 +1,118 @@
----
-title:
-# Fine-tune Windows Information Policy (WIP) with WIP Learning
-description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company.
-ms.assetid: 53db29d2-d99d-4db6-b494-90e2b4872ca2
-ms.reviewer:
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP Learning
-ms.prod: w10
-ms.mktglfcycl:
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: dulcemontemayor
-ms.author: dolmont
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 02/26/2019
----
-
-# Fine-tune Windows Information Protection (WIP) with WIP Learning
-**Applies to:**
-
-- Windows 10, version 1703 and later
-- Windows 10 Mobile, version 1703 and later
-
-With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports can be accessed from Microsoft Azure Intune.
-
-The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Block”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly.
-
-In the **Website learning report**, you can view a summary of the devices that have shared work data with websites. You can use this information to determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps so you can decide which ones are cloud or personal, and add them to the resource list.
-
-## Access the WIP Learning reports
-
-1. Open the [Azure portal](http://portal.azure.com/).
-
-1. Click **All services**, type **Intune** in the text box filter, and click the star to add it to **Favorites**.
-
-1. Click **Intune** > **Client apps** > **App protection status** > **Reports**.
-
- 
-
-1. Select either **App learning report for Windows Information Protection** or **Website learning report for Windows Information Protection**.
-
- 
-
-Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies.
-
-## Use the WIP section of Device Health
-
-You can use Device Health to adjust your WIP protection policy. See [Using Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-using#windows-information-protection) to learn more.
-
-If you want to configure your environment for Windows Analytics: Device Health, see [Get Started with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-get-started) for more information.
-
-Once you have WIP policies in place, by using the WIP section of Device Health, you can:
-
-- Reduce disruptive prompts by adding rules to allow data sharing from approved apps.
-- Tune WIP rules by confirming that certain apps are allowed or denied by current policy.
-
-## Use Device Health and Intune to adjust WIP protection policy
-
-The information needed for the following steps can be found using Device Health, which you will first have to set up. Learn more about how you can [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor).
-
-1. In **Device Health** click the app you want to add to your policy and copy the publisher information.
-
-2. In Intune, click **App protection policies** and then choose the app policy you want to add an application to.
-
-3. Click **Protected apps**, and then click **Add Apps**.
-
-4. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app).
-
- 
-
-5. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 1 above.
-
- 
-
-6. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**).
-
-7. Copy the name of the executable (for example, snippingtool.exe) and paste it in **FILE** (required).
-
-8. Type the version number of the app into **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny**
-
-When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes)
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+---
+title:
+# Fine-tune Windows Information Policy (WIP) with WIP Learning
+description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company.
+ms.assetid: 53db29d2-d99d-4db6-b494-90e2b4872ca2
+ms.reviewer:
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP Learning
+ms.prod: w10
+ms.mktglfcycl:
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: stephow-MSFT
+ms.author: stephow
+manager: laurawi
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 02/26/2019
+---
+
+# Fine-tune Windows Information Protection (WIP) with WIP Learning
+**Applies to:**
+
+- Windows 10, version 1703 and later
+- Windows 10 Mobile, version 1703 and later
+
+With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports can be accessed from Microsoft Azure Intune.
+
+The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Block”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly.
+
+In the **Website learning report**, you can view a summary of the devices that have shared work data with websites. You can use this information to determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps so you can decide which ones are cloud or personal, and add them to the resource list.
+
+## Access the WIP Learning reports
+
+1. Open the [Azure portal](http://portal.azure.com/).
+
+1. Click **All services**, type **Intune** in the text box filter, and click the star to add it to **Favorites**.
+
+1. Click **Intune** > **Client apps** > **App protection status** > **Reports**.
+
+ 
+
+1. Select either **App learning report for Windows Information Protection** or **Website learning report for Windows Information Protection**.
+
+ 
+
+Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies.
+
+## Use the WIP section of Device Health
+
+You can use Device Health to adjust your WIP protection policy. See [Using Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-using#windows-information-protection) to learn more.
+
+If you want to configure your environment for Windows Analytics: Device Health, see [Get Started with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-get-started) for more information.
+
+Once you have WIP policies in place, by using the WIP section of Device Health, you can:
+
+- Reduce disruptive prompts by adding rules to allow data sharing from approved apps.
+- Tune WIP rules by confirming that certain apps are allowed or denied by current policy.
+
+## Use Device Health and Intune to adjust WIP protection policy
+
+The information needed for the following steps can be found using Device Health, which you will first have to set up. Learn more about how you can [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor).
+
+1. In **Device Health** click the app you want to add to your policy and copy the **WipAppId**.
+
+ For example, if the app is Google Chrome, the WipAppId is:
+
+ `O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US\GOOGLE CHROME\CHROME.EXE\74.0.3729.108`
+
+ In the steps below, you separate the WipAppId by back slashes into the **PUBLISHER**, **PRODUCT NAME**, and **FILE** fields.
+
+2. In Intune, click **App protection policies** and then choose the app policy you want to add an application to.
+
+3. Click **Protected apps**, and then click **Add Apps**.
+
+4. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app).
+
+ 
+
+5. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 1 above.
+
+ For example, if the WipAppId is
+
+ `O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US\GOOGLE CHROME\CHROME.EXE\74.0.3729.108`
+
+ the text before the first back slash is the publisher:
+
+ `O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US`
+
+ 
+
+6. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**).
+
+ For example, if the WipAppId is
+
+ `O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US\GOOGLE CHROME\CHROME.EXE\74.0.3729.108`
+
+ the text between the first and second back slashes is the product name:
+
+ `GOOGLE CHROME`
+
+7. Copy the name of the executable (for example, snippingtool.exe) and paste it in **FILE** (required).
+
+ For example, if the WipAppId is
+
+ `O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US\GOOGLE CHROME\CHROME.EXE\74.0.3729.108`
+
+ the text between the second and third back slashes is the file:
+
+ `CHROME.EXE`
+
+8. Type the version number of the app into **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny**
+
+When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes)
+
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 7f7a83fc9f..f0e810f95d 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -72,6 +72,7 @@
#### [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)
##### [Learn about the automated investigation and remediation dashboard](microsoft-defender-atp/manage-auto-investigation.md)
+#####[Manage actions related to automated investigation and remediation](microsoft-defender-atp/auto-investigation-action-center.md)
#### [Secure score](microsoft-defender-atp/overview-secure-score.md)
@@ -422,6 +423,11 @@
#### [Troubleshoot Microsoft Defender ATP service issues](microsoft-defender-atp/troubleshoot-mdatp.md)
##### [Check service health](microsoft-defender-atp/service-status.md)
+
+#### [Troubleshoot live response issues]()
+##### [Troubleshoot issues related to live response](microsoft-defender-atp/troubleshoot-live-response.md)
+
+
####Troubleshoot attack surface reduction
##### [Network protection](windows-defender-exploit-guard/troubleshoot-np.md)
##### [Attack surface reduction rules](windows-defender-exploit-guard/troubleshoot-asr.md)
@@ -517,7 +523,7 @@
##### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md)
##### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md)
###### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md)
-###### [How to list XML elements in
](auditing/how-to-list-xml-elements-in-eventdata.md)
+###### [How to list XML elements in \](auditing/how-to-list-xml-elements-in-eventdata.md)
###### [Using advanced security auditing options to monitor dynamic access control objects](auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
####### [Monitor the central access policies that apply on a file server](auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md)
@@ -851,8 +857,8 @@
####### [Event 1105 S: Event log automatic backup.](auditing/event-1105.md)
####### [Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.](auditing/event-1108.md)
###### [Appendix A: Security monitoring recommendations for many audit events](auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md)
-###### [Registry (Global Object Access Auditing) ](auditing/registry-global-object-access-auditing.md)
-###### [File System (Global Object Access Auditing) ](auditing/file-system-global-object-access-auditing.md)
+###### [Registry (Global Object Access Auditing)](auditing/registry-global-object-access-auditing.md)
+###### [File System (Global Object Access Auditing)](auditing/file-system-global-object-access-auditing.md)
@@ -1035,11 +1041,11 @@
##### [Security Compliance Toolkit](windows-security-configuration-framework/security-compliance-toolkit-10.md)
##### [Get support](windows-security-configuration-framework/get-support-for-security-baselines.md)
#### [Windows security configuration framework](windows-security-configuration-framework/windows-security-configuration-framework.md)
-##### [Level 5 enterprise security](windows-security-configuration-framework/level-5-enterprise-security.md)
-##### [Level 4 enterprise high security](windows-security-configuration-framework/level-4-enterprise-high-security.md)
-##### [Level 3 enterprise VIP security](windows-security-configuration-framework/level-3-enterprise-vip-security.md)
-##### [Level 2 enterprise dev/ops workstation](windows-security-configuration-framework/level-2-enterprise-devops-security.md)
-##### [Level 1 enterprise administrator workstation](windows-security-configuration-framework/level-1-enterprise-administrator-security.md)
+##### [Level 1 enterprise basic security](windows-security-configuration-framework/level-1-enterprise-basic-security.md)
+##### [Level 2 enterprise enhanced security](windows-security-configuration-framework/level-2-enterprise-enhanced-security.md)
+##### [Level 3 enterprise high security](windows-security-configuration-framework/level-3-enterprise-high-security.md)
+##### [Level 4 enterprise dev/ops workstation](windows-security-configuration-framework/level-4-enterprise-devops-security.md)
+##### [Level 5 enterprise administrator workstation](windows-security-configuration-framework/level-5-enterprise-administrator-security.md)
### [MBSA removal and alternatives](mbsa-removal-and-guidance.md)
diff --git a/windows/security/threat-protection/auditing/event-4697.md b/windows/security/threat-protection/auditing/event-4697.md
index 72efcaeaae..d454c05905 100644
--- a/windows/security/threat-protection/auditing/event-4697.md
+++ b/windows/security/threat-protection/auditing/event-4697.md
@@ -114,11 +114,11 @@ This event generates when new service was installed in the system.
| 0x2 | File System Driver | A file system driver, which is also a Kernel device driver. |
| 0x8 | Recognizer Driver | A file system driver used during startup to determine the file systems present on the system. |
| 0x10 | Win32 Own Process | A Win32 program that can be started by the Service Controller and that obeys the service control protocol. This type of Win32 service runs in a process by itself (this is the most common). |
-| 0x20 | Win32 Share Process | A Win32 service that can share a process with other Win32 services.
(see: |
-| 0x110 | Interactive Own Process | A service that should be run as a standalone process and can communicate with the desktop.
(see: ) |
+| 0x20 | Win32 Share Process | A Win32 service that can share a process with other Win32 services.
(see: |
+| 0x110 | Interactive Own Process | A service that should be run as a standalone process and can communicate with the desktop.
(see: ) |
| 0x120 | Interactive Share Process | A service that can share address space with other services of the same type and can communicate with the desktop. |
-- **Service Start Type** \[Type = HexInt32\]: The service start type can have one of the following values (see: :
+- **Service Start Type** \[Type = HexInt32\]: The service start type can have one of the following values (see: :
| Value | Service Type | Description |
|-------|---------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|
diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md
index 41c866e704..74e6e22b45 100644
--- a/windows/security/threat-protection/auditing/event-4768.md
+++ b/windows/security/threat-protection/auditing/event-4768.md
@@ -219,7 +219,7 @@ The most common values:
| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided.
This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. |
| 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | This error often occurs in UNIX interoperability scenarios. MIT-Kerberos clients do not request pre-authentication when they send a KRB\_AS\_REQ message. If pre-authentication is required (the default), Windows systems will send this error. Most MIT-Kerberos clients will respond to this error by giving the pre-authentication, in which case the error can be ignored, but some clients might not respond in this way. |
| 0x1A | KDC\_ERR\_SERVER\_NOMATCH | KDC does not know about the requested server | No information. |
-| 0x1B | KDC\_ERR\_SVC\_UNAVAILABLE | KDC is unavailable | No information. |
+| 0x1D | KDC\_ERR\_SVC\_UNAVAILABLE | KDC is unavailable | No information. |
| 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | The authenticator was encrypted with something other than the session key. The result is that the client cannot decrypt the resulting message. The modification of the message could be the result of an attack or it could be because of network noise. |
| 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | The ticket has expired | The smaller the value for the “Maximum lifetime for user ticket” Kerberos policy setting, the more likely it is that this error will occur. Because ticket renewal is automatic, you should not have to do anything if you get this message. |
| 0x21 | KRB\_AP\_ERR\_TKT\_NYV | The ticket is not yet valid | The ticket presented to the server is not yet valid (in relationship to the server time). The most probable cause is that the clocks on the KDC and the client are not synchronized.
If cross-realm Kerberos authentication is being attempted, then you should verify time synchronization between the KDC in the target realm and the KDC in the client realm, as well. |
diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md
index 55bc44dda3..9722578bab 100644
--- a/windows/security/threat-protection/auditing/event-5065.md
+++ b/windows/security/threat-protection/auditing/event-5065.md
@@ -20,7 +20,7 @@ ms.author: dansimp
- Windows Server 2016
-This event generates in [BCryptConfigureContext](https://msdn.microsoft.com/es-es/vstudio/aa375379)() function. This is a Cryptographic Next Generation (CNG) function.
+This event generates in [BCryptConfigureContext](https://msdn.microsoft.com/vstudio/aa375379)() function. This is a Cryptographic Next Generation (CNG) function.
This event generates when configuration information was changed for existing CNG context.
diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
index 2a2cd6a8bf..910939ae7e 100644
--- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
+++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
@@ -46,7 +46,7 @@ Protecting authorized removable storage with Windows Defender Antivirus requires
- If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted, so that Windows Defender Antivirus starts scanning all files on a removable device once the removable device is attached. However, we recommend enabling real-time protection for improved scanning performance, especially for large storage devices.
- If scheduled scans are used, then you need to disable the DisableRemovableDriveScanning setting (enabled by default) to scan the removable device during a full scan. Removable devices are scanned during a quick or custom scan regardless of the DisableRemovableDriveScanning setting.
->[!NOTE]
+>[!NOTE]
>We recommend enabling real-time monitoring for scanning. In Intune, you can enable real-time monitoring for Windows 10 in **Device Restrictions** > **Configure** > **Windows Defender Antivirus** > **Real-time monitoring**.
-
-
-
+
+
+
-
-->
-
-->
-
-->
-
@@ -1502,4 +1502,3 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
```
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 7e81a69fbc..960a7fb0ca 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -46,7 +46,7 @@ To modify the policy rule options of an existing WDAC policy, use [Set-RuleOptio
You can set several rule options within a WDAC policy. Table 2 describes each rule option.
-> [!NOTE]
+> [!NOTE]
> We recommend that you use **Enabled:Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. To allow these applications, you can capture the policy information from the event log, and then merge that information into the existing policy. When the **Enabled:Audit Mode** is deleted, the policy runs in enforced mode.
**Table 2. Windows Defender Application Control policy - policy rule options**
@@ -70,6 +70,7 @@ You can set several rule options within a WDAC policy. Table 2 describes each ru
| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). |
| **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically re-validate the reputation for files that were authorized by the ISG.|
| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. |
+| **17 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically-loaded libraries. |
## Windows Defender Application Control file rule levels
diff --git a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md b/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md
index cc6289cb8a..b00e9c0154 100644
--- a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md
+++ b/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md
@@ -49,7 +49,7 @@ If you do not have a code signing certificate, see the [Optional: Create a code
` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
- > [!Note]
+ > [!NOTE]
> This example uses the WDAC policy that you created in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md). If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
@@ -64,8 +64,8 @@ If you do not have a code signing certificate, see the [Optional: Create a code
` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update`
- > [!Note]
- > should be the full path to the certificate that you exported in step 3.
+ > [!NOTE]
+ > \ should be the full path to the certificate that you exported in step 3.
Also, adding update signers is crucial to being able to modify or disable this policy in the future.
6. Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option:
@@ -80,7 +80,7 @@ If you do not have a code signing certificate, see the [Optional: Create a code
` sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin`
- > [!Note]
+ > [!NOTE]
> The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index 363c9d9fe3..e481ff08f8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -51,7 +51,7 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
- > [!Note]
+ > [!NOTE]
> This example uses the WDAC policy that you created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
@@ -66,7 +66,7 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update`
- > [!Note]
+ > [!NOTE]
> *<Path to exported .cer certificate>* should be the full path to the certificate that you exported in step 3.
Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed WDAC policies, see [Disable signed Windows Defender Application Control policies within Windows](disable-windows-defender-application-control-policies.md#disable-signed-windows-defender-application-control-policies-within-windows).
@@ -82,7 +82,7 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
` sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin`
- > [!Note]
+ > [!NOTE]
> The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
index 18738ef4ec..8d7885f549 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
@@ -27,7 +27,7 @@ Dynamic Code Security is not enabled by default because existing policies may no
Additionally, a small number of .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, are not currently supported with Dynamic Code Security enabled.
Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy.
-To enable Dynamic Code Security, add the following option to the section of your policy:
+To enable Dynamic Code Security, add the following option to the `` section of your policy:
```xml
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-device-guard-and-applocker.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-device-guard-and-applocker.md
index c8524f1f9b..bc80b871c8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-device-guard-and-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-device-guard-and-applocker.md
@@ -18,7 +18,7 @@ Although [AppLocker](applocker/applocker-overview.md) is not considered a new Wi
There are many scenarios in which WDAC would be used alongside AppLocker rules.
As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
-> [!NOTE]
+> [!NOTE]
> One example of how Windows Defender Device Guard functionality can be enhanced by AppLocker is when you want to apply different policies for different users on the same device. For example, you may allow your IT support personnel to run additional apps that you do not allow for your end-users. You can accomplish this user-specific enforcement by using an AppLocker rule.
AppLocker and Windows Defender Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 48d98e20cb..aa3c23a2cf 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -22,25 +22,42 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019.
+
+Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1704 and 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019.
+
To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subscription, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment.
+
Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including:
- Executable files and scripts used in Office apps or web mail that attempt to download or run files
- Obfuscated or otherwise suspicious scripts
- Behaviors that apps don't usually initiate during normal day-to-day work
-You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
+You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 securty center.
For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
+## Review attack surface reduction events in the Microsoft Security Center
+
+Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
+
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings could affect your environment.
+
+Here is an example query:
+
+```
+MiscEvents
+| where ActionType startswith 'Asr'
+```
+
## Review attack surface reduction events in Windows Event Viewer
You can review the Windows event log to view events that are created when attack surface reduction rules fire:
@@ -63,6 +80,8 @@ Event ID | Description
1121 | Event when rule fires in Block-mode
1122 | Event when rule fires in Audit-mode
+The "engine version" of attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all machines with Windows 10 installed.
+
## Attack surface reduction rules
@@ -141,7 +160,7 @@ GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Malware often uses JavaScript and VBScript scripts to launch other malicious apps.
-Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers. You can exclude scripts so they're allowed to run.
+Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers.
>[!IMPORTANT]
>File and folder exclusions don't apply to this attack surface reduction rule.
@@ -179,9 +198,9 @@ This rule blocks the following file types from launching unless they either meet
- Executable files (such as .exe, .dll, or .scr)
>[!NOTE]
->You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+>You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
->[!IMPORTANT]
+>[!IMPORTANT]
>The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
>
>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
@@ -197,7 +216,7 @@ GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or exclusion list.
>[!NOTE]
->You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+>You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
Intune name: Advanced ransomware protection
@@ -207,7 +226,7 @@ GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
### Block credential stealing from the Windows local security authority subsystem (lsass.exe)
-Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
+Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
>[!NOTE]
>In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
@@ -284,3 +303,5 @@ GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b
- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
+- [Compatibility of Microsoft Defender with other antivirus/antimalware](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility)
+
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
index 3e7dd85f9c..6dd4b9f19f 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
@@ -42,7 +42,7 @@ The limited subset of rules that can be used in Windows 10 Enterprise E3 include
- Block process creations originating from PSExec and WMI commands
- Block untrusted and unsigned processes that run from USB
-For more information about these rules, see [Reduce attack surfaces with attack surface reduction rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard).
+For more information about these rules, see [Reduce attack surfaces with attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard).
## Related topics
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
index 00e0789bab..3029df4d23 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
@@ -45,7 +45,7 @@ Controlled folder access requires enabling [Windows Defender Antivirus real-time
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
Here is an example query
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
index 4559d896b6..2b7dec1738 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@@ -40,7 +40,7 @@ You can exclude files and folders from being evaluated by attack surface reducti
An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to certain rules.
-An exclusion is applied only when when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
+An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
index 43cdc009e2..6e52ff5447 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
@@ -42,7 +42,7 @@ You can add additional folders to be protected, but you cannot remove the defaul
Adding other folders to controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults.
-You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
+You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
You can use the Windows Security app or Group Policy to add and remove additional protected folders.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
index 8fd5f7cc13..f6197a0a67 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
@@ -30,7 +30,7 @@ You configure these settings using the Windows Security app on an individual mac
It also describes how to enable or configure the mitigations using Windows Security, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
->[!WARNING]
+>[!WARNING]
>Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](evaluate-exploit-protection.md) before deploying the configuration across a production environment or the rest of your network.
## Exploit protection mitigations
@@ -208,7 +208,7 @@ Where:
For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used in the example above, you'd use the following command:
```PowerShell
-Set-ProcesMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
+Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
```
You can disable audit mode by using the same command but replacing `-Enable` with `-Disable`.
@@ -227,7 +227,7 @@ Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThun
Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available
Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available
Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available
-Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available
+Validate heap integrity | System and app-level | TerminateOnError | Audit not available
Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
Block remote images | App-level only | BlockRemoteImages | Audit not available
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
index ef41c3f764..0a5a679109 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
@@ -101,7 +101,7 @@ Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] |
Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
->[!NOTE]
+>[!NOTE]
>The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations for a process.
>
>See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
index 6240e524cc..b346df9a75 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
@@ -53,7 +53,7 @@ You can exclude files and folders from being evaluated by most attack surface re
>- Block process creations originating from PSExec and WMI commands
>- Block JavaScript or VBScript from launching downloaded executable content
-You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. An exclusion is applied only when when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
+You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
@@ -73,9 +73,9 @@ The following procedures for enabling ASR rules include instructions for how to
## MDM
-Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
+Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
-The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules).
+The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules).
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
index 0c1ff68ba4..29ed15335f 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
@@ -72,7 +72,7 @@ For more information about disabling local list merging, see [Prevent or allow u
## MDM
-Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders.
+Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders.
## SCCM
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
index 5f87fa942d..3cd5fee197 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -61,7 +61,7 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP]
3. Double-click **Turn on Virtualization Based Security**.
4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**.
- 
+ 
5. Click **Ok** to close the editor.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
index dcffecd121..5652a45bd4 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
@@ -1,3 +1,4 @@
+---
ms.reviewer:
title: Import custom views to see attack surface reduction events
description: Use Windows Event Viewer to import individual views for each of the features.
@@ -65,7 +66,7 @@ You can also manually navigate to the event area that corresponds to the feature
3. On the left panel, under **Actions**, click **Create Custom View...**
- 
+ 
4. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**.
@@ -179,6 +180,4 @@ Controlled folder access | Windows Defender (Operational) | 1127 | Blocked Contr
Controlled folder access | Windows Defender (Operational) | 1128 | Audited Controlled folder access sector write block event
Attack surface reduction | Windows Defender (Operational) | 5007 | Event when settings are changed
Attack surface reduction | Windows Defender (Operational) | 1122 | Event when rule fires in Audit-mode
-
-
Attack surface reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
index 6375ba8515..d701915788 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
@@ -42,9 +42,22 @@ Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](http
>[!IMPORTANT]
>If you are currently using EMET you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10. You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
->[!WARNING]
+>[!WARNING]
>Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network.
+## Review exploit protection events in the Microsoft Security Center
+
+Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
+
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how exploit protection settings could affect your environment.
+
+Here is an example query:
+
+```
+MiscEvents
+| where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection'
+```
+
## Review exploit protection events in Windows Event Viewer
You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:
@@ -143,7 +156,7 @@ Validate handle usage | [!include[Check mark yes](images/svg/check-yes.svg)] | [
Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
->[!NOTE]
+>[!NOTE]
>The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations for a process.
>
>See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png
index 3289ace8cf..eac90e96f5 100644
Binary files a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png and b/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png
index 5bc0f3e22b..67abde13e0 100644
Binary files a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png and b/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
index 7bf07fbce8..e4fccb655d 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
@@ -49,7 +49,14 @@ Windows 10 version 1709 or later | [Windows Defender AV real-time protection](..
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled.
+
+Here is an example query
+
+```
+MiscEvents
+| where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked')
+```
## Review network protection events in Windows Event Viewer
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
index 15fd8b2886..58f95ecbc5 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
@@ -39,9 +39,9 @@ The following tables provide more information about the hardware, firmware, and
|--------------------------------|----------------------------------------------------|-------------------|
| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | |
| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. |
-| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
-| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
+| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
+| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
+| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.
| Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
> **Important** The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide.
@@ -64,7 +64,7 @@ The following tables describe additional hardware and firmware qualifications, a
| Protections for Improved Security | Description | Security benefits |
|---------------------------------------------|----------------------------------------------------|-----|
-| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies).
• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://docs.microsoft.com/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies).
• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://docs.microsoft.com/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. |
| Firmware: **Firmware Update through Windows Update** | Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. |
| Firmware: **Securing Boot Configuration and Management** | • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.| • Enterprises can choose to allow proprietary EFI drivers/applications to run.
• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
index 9ae361f1fd..89c98507fe 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
@@ -86,4 +86,53 @@ This can only be done in Group Policy.
6. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**.
-7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+
+## Notifications
+
+| Purpose | Notification text | Toast Identifier | Critical? |
+|---------|------------------|-------------|-----------|
+| Network isolation | Your IT administrator has caused Windows Defender to disconnect your device. Contact IT help desk. | SENSE_ISOLATION | Yes |
+| Network isolation customized | _Company name_ has caused Windows Defender to disconnect your device. Contact IT help desk _phone number_, _email address_, _url_. | SENSE_ISOLATION_CUSTOM (body) | Yes |
+| Restricted access | Your IT administrator has caused Windows Defender to limit actions on this device. Some apps may not function as expected. Contact IT help desk. | SENSE_PROCESS_RESTRICTION | Yes |
+| Restricted access customized | _Company_ has caused Windows Defender to limit actions on this device. Some apps may not function as expected. Contact IT help desk. | SENSE_PROCESS_RESTRICTION_CUSTOM (body) | Yes |
+| HVCI, driver compat check fails (upon trying to enable) | There may be an incompatibility on your device. | HVCI_ENABLE_FAILURE | Yes |
+| HVCI, reboot needed to enable | The recent change to your protection settings requires a restart of your device. | HVCI_ENABLE_SUCCESS | Yes |
+| Item skipped in scan, due to exclusion setting, or network scanning disabled by admin | The Windows Defender Antivirus scan skipped an item due to exclusion or network scanning settings. | ITEM_SKIPPED | Yes |
+| Remediation failure | Windows Defender Antivirus couldn’t completely resolve potential threats. | CLEAN_FAILED | Yes |
+| Follow-up action (restart & scan) | Windows Defender Antivirus found _threat_ in _file name_. Please restart and scan your device. Restart and scan | MANUALSTEPS_REQUIRED | Yes |
+| Follow-up action (restart) | Windows Defender Antivirus found _threat_ in _file_. Please restart your device. | WDAV_REBOOT | Yes |
+| Follow-up action (Full scan) | Windows Defender Antivirus found _threat_ in _file_. Please run a full scan of your device. | FULLSCAN_REQUIRED | Yes |
+| Sample submission prompt | Review files that Windows Defender will send to Microsoft. Sending this information can improve how Windows Defender Antivirus helps protect your device. | SAMPLE_SUBMISSION_REQUIRED | Yes |
+| OS support ending warning | Support for your version of Windows is ending. When this support ends, Windows Defender Antivirus won’t be supported, and your device might be at risk. | SUPPORT_ENDING | Yes |
+| OS support ended, device at risk | Support for your version of Windows has ended. Windows Defender Antivirus is no longer supported, and your device might be at risk. | SUPPORT_ENDED _and_ SUPPORT_ENDED_NO_DEFENDER | Yes |
+| Summary notification, items found | Windows Defender Antivirus successfully took action on _n_ threats since your last summary. Your device was scanned _n_ times. | RECAP_FOUND_THREATS_SCANNED | No |
+| Summary notification, items found, no scan count | Windows Defender Antivirus successfully took action on _n_ threats since your last summary. | RECAP_FOUND_THREATS | No |
+| Summary notification, **no** items found, scans performed | Windows Defender Antivirus did not find any threats since your last summary. Your device was scanned _n_ times. | RECAP_NO THREATS_SCANNED | No |
+| Summary notification, **no** items found, no scans | Windows Defender Antivirus did not find any threats since your last summary. | RECAP_NO_THREATS | No |
+| Scan finished, manual, threats found | Windows Defender Antivirus scanned your device at _timestamp_ on _date_, and took action against threats. | RECENT_SCAN_FOUND_THREATS | No |
+| Scan finished, manual, **no** threats found | Windows Defender Antivirus scanned your device at _timestamp_ on _date_. No threats were found. | RECENT_SCAN_NO_THREATS | No |
+| Threat found | Windows Defender Antivirus found threats. Get details. | CRITICAL | No |
+| LPS on notification | Windows Defender Antivirus is periodically scanning your device. You’re also using another antivirus program for active protection. | PERIODIC_SCANNING_ON | No |
+| Long running BaFS | Your IT administrator requires a security scan of this item. The scan could take up to _n_ seconds. | BAFS | No |
+| Long running BaFS customized | _Company_ requires a security scan of this item. The scan could take up to _n_ seconds. | BAFS_DETECTED_CUSTOM (body) | No |
+| Sense detection | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED | No |
+| Sense detection customized | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED_CUSTOM (body) | No |
+| Ransomware specific detection | Windows Defender Antivirus has detected threats which may include ransomware. | WDAV_RANSOMWARE_DETECTED | No |
+| ASR (HIPS) block | Your IT administrator caused Windows Defender Security Center to block this action. Contact your IT help desk. | HIPS_ASR_BLOCKED | No |
+| ASR (HIPS) block customized | _Company_ caused Windows Defender Security Center to block this action. Contact your IT help desk. | HIPS_ASR_BLOCKED_CUSTOM (body) | No |
+| CFA (FolderGuard) block | Controlled folder access blocked _process_ from making changes to the folder _path_ | FOLDERGUARD_BLOCKED | No |
+| Network protect (HIPS) network block customized | _Company_ caused Windows Defender Security Center to block this network connection. Contact your IT help desk. | HIPS_NETWORK_BLOCKED_CUSTOM (body) | No |
+| Network protection (HIPS) network block | Your IT administrator caused Windows Defender Security Center to block this network connection. Contact your IT help desk. | HIPS_NETWORK_BLOCKED | No |
+| PUA detection, not blocked | Your settings cause the detection of any app that might perform unwanted actions on your computer. | PUA_DETECTED | No |
+| PUA notification | Your IT settings caused Windows Defender Antivirus to block an app that may potentially perform unwanted actions on your device. | PUA_BLOCKED | No |
+| PUA notification, customized | _Company_ caused Windows Defender Antivirus to block an app that may potentially perform unwanted actions on your device. | PUA_BLOCKED_CUSTOM (body) | No |
+| Network isolation ended | | | No |
+| Network isolation ended, customized | | | No |
+| Restricted access ended | | | No |
+| Restricted access ended, customized | | | No |
+| Dynamic lock on, but bluetooth off | | | No |
+| Dynamic lock on, bluetooth on, but device unpaired | | | No |
+| Dynamic lock on, bluetooth on, but unable to detect device | | | No |
+| NoPa or federated no hello | | | No |
+| NoPa or federated hello broken | | | No |
diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index aa048c032f..a12e0b136b 100644
--- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -95,7 +95,7 @@ You can find more information about each section, including options for configur
>
>Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security).
-> [!WARNING]
+> [!WARNING]
> If you disable the Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
>
>It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
@@ -108,7 +108,7 @@ It acts as a collector or single place to see the status and perform some config
Disabling any of the individual features (through Group Policy or other management tools, such as System Center Configuration Manager) will prevent that feature from reporting its status in the Windows Security app. The Windows Security app itself will still run and show status for the other security features.
-> [!IMPORTANT]
+> [!IMPORTANT]
> Individually disabling any of the services will not disable the other services or the Windows Security app.
For example, [using a third-party antivirus will disable Windows Defender Antivirus](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility). However, the Windows Security app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall.
diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
index 24b4c8ebd1..1a7b1eae79 100644
--- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
+++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
@@ -21,7 +21,7 @@ ms.author: dansimp
Windows Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Windows Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely.
-See [Windows 10 (and later) settings to protect devices using Intune](https://docs.microsoft.com/en-us/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune.
+See [Windows 10 (and later) settings to protect devices using Intune](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune.
## Group Policy settings
diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
index b941ae353b..12253adde3 100644
--- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
@@ -71,5 +71,5 @@ SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Even
- [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings)
->[!NOTE]
+>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
index ceb1488e72..be6c791392 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
@@ -61,7 +61,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic
>[!NOTE]
->To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control), [Credential Guard](https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements), and [Virtualization Based Security](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity).
+>To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control), [Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements), and [Virtualization Based Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity).
## Requirements Met by System Guard Enabled Machines
Any machine with System Guard enabled will automatically meet the following low-level hardware requirements:
diff --git a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
index 5c31e736a7..a0422c4a14 100644
--- a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
+++ b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
@@ -33,7 +33,7 @@ The following sample file uses item-level targeting to ensure that the registry
>**Note:** The file shown here is for sample use only. It should be customized to meet the requirements of your organization’s deployment. To customize this file, import it into a test GPO, modify the settings, and then drag the Server and Domain Isolation Settings node to your desktop. The new file will contain all of your customization.
-``` syntax
+```xml
diff --git a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
index 7382a66a00..04739b0f9c 100644
--- a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
@@ -71,4 +71,4 @@ For more information about this design:
- For a list of detailed tasks that you can use to deploy your basic firewall policy design, see [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md).
-**Next: **[Domain Isolation Policy Design](domain-isolation-policy-design.md)
+**Next:** [Domain Isolation Policy Design](domain-isolation-policy-design.md)
diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
index accc64084b..efa67c42bc 100644
--- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
@@ -57,4 +57,4 @@ By using the Active Directory Users and Computers snap-in, Woodgrove Bank create
Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG\_COMPUTER\_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local device.
-**Next: **[Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
+**Next:** [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
index 3bd6236176..1be717ce49 100644
--- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
@@ -45,4 +45,4 @@ For more info about this design:
- For a list of tasks that you can use to deploy your certificate-based policy design, see [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md).
-**Next: **[Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
+**Next:** [Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
index 851b77b568..ea78e8de16 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
@@ -29,10 +29,6 @@ To configure Windows Defender Firewall with Advanced Security to log dropped pac
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
-In this topic:
-
-- [To configure the Windows Defender Firewall with Advanced Security log](#to-configure-the-windows-firewall-log)
-
## To configure the Windows Defender Firewall with Advanced Security log
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
index 9dc6366064..8de4021830 100644
--- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
+++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
@@ -27,9 +27,7 @@ ms.date: 04/11/2019
To get started, open Device Configuration in Intune, then create a new profile.
Choose Windows 10 as the platform, and Endpoint Protection as the profile type.
-Select Windows Defender Firewall.
-Add a firewall rule to this new Endpoint Protection profile using the Add button at the bottom of the blade.
-
+Select Windows Defender Firewall.
>[!IMPORTANT]
diff --git a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
index 048a242e05..83f35fe206 100644
--- a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
+++ b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
@@ -52,4 +52,4 @@ The information that you gather will help you answer the following questions. Th
This guide describes how to plan your groups and GPOs for an environment with a mix of operating systems. Details can be found in the section [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) later in this guide.
-**Next: **[Gathering the Information You Need](gathering-the-information-you-need.md)
+**Next:** [Gathering the Information You Need](gathering-the-information-you-need.md)
diff --git a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
index e5abd70033..d7bed686fa 100644
--- a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
+++ b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
@@ -144,4 +144,4 @@ With the other information that you have gathered in this section, this informat
The costs identified in this section only capture the projected cost of the device upgrades. Many additional design, support, test, and training costs should be accounted for in the overall project plan.
-**Next: **[Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
+**Next:** [Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
diff --git a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
index 45577c869a..0fa1893aa6 100644
--- a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
+++ b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
@@ -32,4 +32,4 @@ Generally, the task of determining zone membership is not complex, but it can be
| SENSITIVE001 | Yes| Yes| Not required.| Running Windows Server 2012. Ready for inclusion.| $0| Isolated server (in zone by itself)|
| PRINTSVR1 | Yes| Yes| Not required.| Running Windows Server 2008 R2. Ready for inclusion.| $0| Boundary|
-**Next: **[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)
+**Next:** [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)
diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
index 8179db1063..d0e345f2c5 100644
--- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
@@ -63,4 +63,4 @@ The following groups were created by using the Active Directory Users and Comput
>**Note:** If you are designing GPOs for only Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. However, devices that are running older versions of Windows can only support a single IPsec policy being active at a time. The policies for each GPO must be complete (and to a great extent redundant with each other), because you cannot layer them as you can in the newer versions of Windows. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group.
-**Next: **[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
+**Next:** [Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone.md b/windows/security/threat-protection/windows-firewall/encryption-zone.md
index 2330b6ee32..ced058672b 100644
--- a/windows/security/threat-protection/windows-firewall/encryption-zone.md
+++ b/windows/security/threat-protection/windows-firewall/encryption-zone.md
@@ -67,4 +67,4 @@ The GPO for devices that are running at least Windows Server 2008 should includ
- If domain member devices must communicate with devices in the encryption zone, ensure that you include in the isolated domain GPOs quick mode combinations that are compatible with the requirements of the encryption zone GPOs.
-**Next: **[Planning Server Isolation Zones](planning-server-isolation-zones.md)
+**Next:** [Planning Server Isolation Zones](planning-server-isolation-zones.md)
diff --git a/windows/security/threat-protection/windows-firewall/exemption-list.md b/windows/security/threat-protection/windows-firewall/exemption-list.md
index 93dbefc241..5911a0bedc 100644
--- a/windows/security/threat-protection/windows-firewall/exemption-list.md
+++ b/windows/security/threat-protection/windows-firewall/exemption-list.md
@@ -57,4 +57,4 @@ To keep the number of exemptions as small as possible, you have several options:
As with defining the boundary zone, create a formal process to approve hosts being added to the exemption list. For a model of processing requests for exemptions, see the decision flowchart in the [Boundary Zone](boundary-zone.md) section.
-**Next: **[Isolated Domain](isolated-domain.md)
+**Next:** [Isolated Domain](isolated-domain.md)
diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
index fef8bc41e2..5127569bc4 100644
--- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
@@ -110,5 +110,5 @@ The following groups were created by using the Active Directory Users and Comput
In your own design, create a group for each computer role in your organization that requires different or additional firewall rules. For example, file servers and print servers require additional rules to allow the incoming network traffic for those functions. If a function is ordinarily performed on most devices on the network, you might consider adding devices performing those roles to the common default firewall GPO set, unless there is a security reason not to include it there.
-**Next: **[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
+**Next:** [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
index 5b0c733db4..cd4b6c6d78 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
@@ -37,4 +37,4 @@ Active Directory is another important item about which you must gather informati
- **Existing IPsec policy**. Because this project culminates in the implementation of IPsec policy, you must understand how the network currently uses IPsec (if at all). Windows Defender Firewall connection security rules for versions of Windows prior to Windows Vista and Windows Server 2008 are not compatible with earlier versions of Windows. If you already have IPsec policies deployed to devices running Windows XP and Windows Server 2003 in your organization, you must ensure that the new IPsec policies you deploy enable devices using either the old or new IPsec policies to communicate with each other.
-**Next: **[Gathering Information about Your Devices](gathering-information-about-your-devices.md)
+**Next:** [Gathering Information about Your Devices](gathering-information-about-your-devices.md)
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
index 34b00db3ac..992c8390e8 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
@@ -118,4 +118,4 @@ Some of the more common applications and protocols are as follows:
- **Other traffic**. Windows Defender Firewall can help secure transmissions between devices by providing authentication of the packets in addition to encrypting the data that they contain. The important thing to do is to identify what must be protected, and the threats that must be mitigated. Examine and model other traffic or traffic types that must be secured.
-**Next: **[Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)
+**Next:** [Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
index 79f64faa4e..2feb5a2fd1 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
@@ -59,4 +59,4 @@ Whether you use an automatic, manual, or hybrid option to gather the information
This inventory will be critical for planning and implementing your Windows Defender Firewall design.
-**Next: **[Gathering Other Relevant Information](gathering-other-relevant-information.md)
+**Next:** [Gathering Other Relevant Information](gathering-other-relevant-information.md)
diff --git a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
index 7a20dd71a7..5d29784f77 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
@@ -82,4 +82,4 @@ Network Monitor includes parsers for the ISAKMP (IKE), AH, and ESP protocols. Ne
Message Analyzer is available on the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=44226).
-**Next: **[Determining the Trusted State of Your Devices](determining-the-trusted-state-of-your-devices.md)
+**Next:** [Determining the Trusted State of Your Devices](determining-the-trusted-state-of-your-devices.md)
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
index 65e05e7876..006015b36a 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
@@ -48,4 +48,4 @@ Copy the firewall rules for the boundary zone from the GPO that contains the fir
Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules.
-**Next: **[Encryption Zone GPOs](encryption-zone-gpos.md)
+**Next:** [Encryption Zone GPOs](encryption-zone-gpos.md)
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
index 0820c4aacb..e16a7ecc32 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
@@ -50,7 +50,7 @@ Change the action for every inbound firewall rule from **Allow the connection**
Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules.
-**Next: **[Server Isolation GPOs](server-isolation-gpos.md)
+**Next:** [Server Isolation GPOs](server-isolation-gpos.md)
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
index 81e55a89ac..e44b50dd82 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
@@ -70,4 +70,4 @@ This GPO provides the following rules:
- A firewall exception rule to allow required network traffic for the WGBank dashboard program. This inbound rule allows network traffic for the program Dashboard.exe in the %ProgramFiles%\\WGBank folder. The rule is also filtered to only allow traffic on port 1551. This rule is applied only to the domain profile.
-**Next: **[Isolated Domain GPOs](isolated-domain-gpos.md)
+**Next:** [Isolated Domain GPOs](isolated-domain-gpos.md)
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
index 4701b4565d..eda2c2ccc5 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
@@ -88,4 +88,4 @@ This GPO provides the following rules:
- Authentication mode is set to **Do not authenticate**.
-**Next: **[GPO\_DOMISO\_IsolatedDomain\_Servers](gpo-domiso-isolateddomain-servers.md)
+**Next:** [GPO\_DOMISO\_IsolatedDomain\_Servers](gpo-domiso-isolateddomain-servers.md)
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
index 6e5fc43ced..bfe618f15f 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
@@ -31,5 +31,5 @@ Because so many of the settings and rules for this GPO are common to those in th
>**Important:** Windows Vista and Windows Server 2008 support only one network location profile at a time. The profile for the least secure network type is applied to the device. If you attach a network adapter to a device that is not physically connected to a network, the public network location type is associated with the network adapter and applied to the device.
-**Next: **[Boundary Zone GPOs](boundary-zone-gpos.md)
+**Next:** [Boundary Zone GPOs](boundary-zone-gpos.md)
diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain.md b/windows/security/threat-protection/windows-firewall/isolated-domain.md
index 7c2bb196ff..bb06dc1bff 100644
--- a/windows/security/threat-protection/windows-firewall/isolated-domain.md
+++ b/windows/security/threat-protection/windows-firewall/isolated-domain.md
@@ -64,4 +64,4 @@ GPOs for devices running at least Windows Vista and Windows Server 2008 should
>**Note:** For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md).
-**Next: **[Boundary Zone](boundary-zone.md)
+**Next:** [Boundary Zone](boundary-zone.md)
diff --git a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
index 8c6362f758..9c73c224b9 100644
--- a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
+++ b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
@@ -38,4 +38,4 @@ Use the following table to determine which Windows Firewall with Advanced Securi
To examine details for a specific design, click the design title at the top of the column in the preceding table.
-**Next: **[Basic Firewall Policy Design](basic-firewall-policy-design.md)
+**Next:** [Basic Firewall Policy Design](basic-firewall-policy-design.md)
diff --git a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
index bba537328b..17d43619ee 100644
--- a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
@@ -29,12 +29,6 @@ This procedure shows you how to open the Windows Defender Firewall with Advanced
To complete this procedure, you must be a member of the Administrators group. For more information, see Additional considerations.
-## Opening Windows Defender Firewall
-
-- [Using the Windows interface](#to-open-windows-firewall-with-advanced-security-using-the-ui)
-
-- [Using a command line](#to-open-windows-firewall-with-advanced-security-from-a-command-prompt)
-
## To open Windows Defender Firewall using the UI
Click Start, type **Windows Defender Firewall**, and the press ENTER.
diff --git a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
index 71ef3b2620..100858ecbe 100644
--- a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
+++ b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
@@ -59,4 +59,4 @@ When the clients and servers have the certificates available, you can configure
Starting in Windows Server 2012,you can configure certificate selection criteria so the desired certificate is selected and/or validated. Enhanced Key Usage (EKU) criteria can be configured, as well as name restrictions and certificate thumbprints. This is configured using the **Advanced** button when choosing certificates for the authentication method in the user interface, or through Windows PowerShell.
-**Next: **[Documenting the Zones](documenting-the-zones.md)
+**Next:** [Documenting the Zones](documenting-the-zones.md)
diff --git a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
index 0536c63506..0798ba72d5 100644
--- a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
@@ -43,5 +43,5 @@ Multiple GPOs might be delivered to each group. Which one actually becomes appli
If multiple GPOs are assigned to a group, and similar rules are applied, the rule that most specifically matches the network traffic is the one that is used by the device. For example, if one IPsec rule says to request authentication for all IP traffic, and a second rule from a different GPO says to require authentication for IP traffic to and from a specific IP address, then the second rule takes precedence because it is more specific.
-**Next: **[Planning Network Access Groups](planning-network-access-groups.md)
+**Next:** [Planning Network Access Groups](planning-network-access-groups.md)
diff --git a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
index fb13446ed6..3043878e04 100644
--- a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
+++ b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
@@ -38,4 +38,4 @@ For the Woodgrove Bank scenario, access to the devices running SQL Server that s
>**Note:** Membership in a NAG does not control the level of IPsec traffic protection. The IKE negotiation is only aware of whether the device or user passed or failed the Kerberos V5 authentication process. The connection security rules in the applied GPO control the security methods that are used for protecting traffic and are independent of the identity being authenticated by Kerberos V5.
-**Next: **[Planning the GPOs](planning-the-gpos.md)
+**Next:** [Planning the GPOs](planning-the-gpos.md)
diff --git a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
index f1977f0234..f42eca057b 100644
--- a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
@@ -79,4 +79,4 @@ GPOs for devices running at least Windows Server 2008 should include the follow
>**Note:** For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md).
-**Next: **[Planning Certificate-based Authentication](planning-certificate-based-authentication.md)
+**Next:** [Planning Certificate-based Authentication](planning-certificate-based-authentication.md)
diff --git a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
index f75466f965..8138bd8ee1 100644
--- a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
+++ b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
@@ -55,4 +55,4 @@ The following is a list of the firewall settings that you might consider for inc
- **Outbound rules**. Only create outbound rules to block network traffic that must be prevented in all cases. If your organization prohibits the use of certain network programs, you can support that policy by blocking the known network traffic used by the program. Be sure to test the restrictions before you deploy them to avoid interfering with traffic for needed and authorized programs.
-**Next: **[Planning Domain Isolation Zones](planning-domain-isolation-zones.md)
+**Next:** [Planning Domain Isolation Zones](planning-domain-isolation-zones.md)
diff --git a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
index b00682c8e7..6992965186 100644
--- a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
+++ b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
@@ -95,4 +95,4 @@ After you have selected a design and assigned your devices to zones, you can beg
When you are ready to examine the options for the groups, filters, and GPOs, see the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
-**Next: **[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)
+**Next:** [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)
diff --git a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
index 46d4138780..a3ca3c4b6e 100644
--- a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
+++ b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
@@ -47,4 +47,4 @@ The following component is recommended for this deployment goal:
Other means of deploying a firewall policy are available, such as creating scripts that use the netsh command-line tool, and then running those scripts on each computer in the organization. This guide uses Active Directory as a recommended means of deployment because of its ability to scale to very large organizations.
-**Next: **[Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
+**Next:** [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
diff --git a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
index d82a578afb..4f5c2b1cb0 100644
--- a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
+++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
@@ -45,4 +45,4 @@ The following components are required for this deployment goal:
- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain.
-**Next: **[Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)
+**Next:** [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)
diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
index 66ddfe63d9..b34c8d48ea 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
@@ -49,4 +49,4 @@ The following components are required for this deployment goal:
- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain.
-**Next: **[Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
+**Next:** [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
index 015a1f0957..cbdd8e51d9 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
@@ -59,4 +59,4 @@ The following components are required for this deployment goal:
- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain.
-**Next: **[Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
+**Next:** [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
index a22b209144..dbffb1b8f1 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
@@ -36,4 +36,4 @@ This GPO is identical to the GPO\_DOMISO\_Encryption GPO with the following chan
>**Important:** Earlier versions of Windows support only device-based authentication. If you specify that user authentication is mandatory, only users on devices that are running at least Windows Vista or Windows Server 2008 can connect.
-**Next: **[Planning GPO Deployment](planning-gpo-deployment.md)
+**Next:** [Planning GPO Deployment](planning-gpo-deployment.md)
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
index f693d8a70b..b93e884682 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
@@ -82,4 +82,4 @@ If Woodgrove Bank wants to implement server isolation without domain isolation,
You do not have to include the encryption-capable rules on all devices. Instead, you can create GPOs that are applied only to members of the NAG, in addition to the standard domain isolation GPO, that contain connection security rules to support encryption.
-**Next: **[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
+**Next:** [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
index 8a3e3033be..1eeea3dc76 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
@@ -59,4 +59,4 @@ For more info about this design:
- For a list of tasks that you can use to deploy your server isolation policy design, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md).
-**Next: **[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
+**Next:** [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md
index f5a711db65..d9cd25a523 100644
--- a/windows/security/threat-protection/windows-platform-common-criteria.md
+++ b/windows/security/threat-protection/windows-platform-common-criteria.md
@@ -1,177 +1,177 @@
----
-title: Common Criteria Certifications
-description: This topic details how Microsoft supports the Common Criteria certification program.
-ms.prod: w10
-audience: ITPro
-author: dulcemontemayor
-ms.author: dolmont
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 3/20/2019
-ms.reviewer:
----
-
-# Common Criteria Certifications
-
-Microsoft is committed to optimizing the security of its products and services. As part of that commitment, Microsoft supports the Common Criteria certification program, continues to ensure that products incorporate the features and functions required by relevant Common Criteria protection profiles, and completes Common Criteria certifications of Microsoft Windows products.
-
-## Common Criteria Security Targets
-
-### Information for Systems Integrators and Accreditors
-
-The Security Target describes security functionality and assurance measures used to evaluate Windows.
-
- - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf)
- - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf)
- - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf)
- - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf)
- - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx)
- - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20\(december%202%202016\)%20\(clean\).docx)
- - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/b/f/5/bf59e430-e57b-462d-8dca-8ac3c93cfcff/windows%2010%20anniversary%20update%20ipsec%20vpn%20client%20security%20target%20-%20public%20\(december%2029%202016\)%20\(clean\).docx)
- - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/7/2/372beb03-b1ed-4bb6-9b9b-b8f43afc570d/st_vid10746-st.pdf)
- - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/a/c/2/ac2a6ed8-4d2f-4f48-a9bf-f059d6c9af38/windows%2010%20mdf3%20security%20target%20-%20public%20\(june%2022%202016\)\(final\).docx)
- - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10677-st.pdf)
- - [Windows 10 and Windows Server 2012 R2](http://www.commoncriteriaportal.org/files/epfiles/st_windows10.pdf)
- - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-st.pdf)
- - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-st.pdf)
- - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-st.pdf)
- - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-st.pdf)
- - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-st.pdf)
- - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-st.pdf)
- - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf)
- - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf)
- - [Windows 7 and Windows Server 2008 R2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf)
- - [Microsoft Windows Server 2008 R2 Hyper-V Role](http://www.microsoft.com/download/en/details.aspx?id=29305)
- - [Windows Vista and Windows Server 2008 at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf)
- - [Microsoft Windows Server 2008 Hyper-V Role](http://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf)
- - [Windows Vista and Windows Server 2008 at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf)
- - [Windows Server 2003 SP2 including R2, x64, and IA64; Windows XP Professional SP2 and x64 SP2; and Windows XP Embedded SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10184-st.pdf)
- - [Windows Server 2003 Certificate Server](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf)
- - [Windows Rights Management Services (RMS) 1.0 SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf)
-
-## Common Criteria Deployment and Administration
-
-### Information for IT Administrators
-
-These documents describe how to configure Windows to replicate the configuration used during the Common Criteria evaluation.
-
-**Windows 10, Windows 10 Mobile, Windows Server 2016, Windows Server 2012 R2**
-
-
- - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf)
- - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf)
- - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf)
- - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf)
- - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx)
- - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/b/5/2/b52e9081-05c6-4895-91a3-732bfa0eb4da/windows%2010%20au%20and%20server%202016%20gp%20os%20operational%20guidance%20\(final\).docx)
- - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client Operational Guidance](https://download.microsoft.com/download/2/c/c/2cc8f929-233e-4a40-b673-57b449680984/windows%2010%20au%20and%20server%202016%20ipsec%20vpn%20client%20operational%20guidance%20\(21%20dec%202016\)%20\(public\).docx)
- - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/3/f/33fa01dd-b380-46e1-833f-fd85854b4022/st_vid10746-agd.pdf)
- - [Microsoft Windows 10 November 2015 Update with Surface Book Administrative Guide](https://download.microsoft.com/download/3/2/c/32c6fa02-b194-478f-a0f6-0215b47d0f40/windows%2010%20mdf3%20mobile%20device%20pp%20operational%20guidance%20\(may%2027,%202016\)\(public\).docx)
- - [Microsoft Windows 10 Mobile and Windows 10 Administrative Guide](https://download.microsoft.com/download/2/d/c/2dce3435-9328-48e2-9813-c2559a8d39fa/microsoft%20windows%2010%20and%20windows%2010%20mobile%20guidance.pdf)
- - [Windows 10 and Windows Server 2012 R2 Administrative Guide](https://download.microsoft.com/download/0/f/d/0fd33c9a-98ac-499e-882f-274f80f3d4f0/microsoft%20windows%2010%20and%20server%202012%20r2%20gp%20os%20guidance.pdf)
- - [Windows 10 Common Criteria Operational Guidance](https://download.microsoft.com/download/d/6/f/d6fb4cec-f0f2-4d00-ab2e-63bde3713f44/windows%2010%20mobile%20device%20operational%20guidance.pdf)
-
-**Windows 8.1 and Windows Phone 8.1**
-
- - [Microsoft Surface Pro 3 Common Criteria Mobile Operational Guidance](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx)
- - [Windows 8.1 and Windows Phone 8.1 CC Supplemental Admin Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx)
-
-**Windows 8, Windows RT, and Windows Server 2012**
-
- - [Windows 8 and Windows Server 2012](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx)
- - [Windows 8 and Windows RT](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx)
- - [Windows 8 and Windows Server 2012 BitLocker](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf)
- - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx)
-
-**Windows 7 and Windows Server 2008 R2**
-
- - [Windows 7 and Windows Server 2008 R2 Supplemental CC Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00)
- - [Windows Server 2008 R2 Hyper-V Common Criteria Configuration Guide](http://www.microsoft.com/download/en/details.aspx?id=29308)
-
-**Windows Vista and Windows Server 2008**
-
- - [Windows Vista and Windows Server 2008 Supplemental CC Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567)
- - [Windows Server 2008 Hyper-V Role Common Criteria Administrator Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08)
-
-**Windows Server 2003 SP2 including R2, x64, and Itanium**
-
- - [Windows Server 2003 SP2 R2 Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=39598841-e693-4891-9234-cfd1550f3949)
- - [Windows Server 2003 SP2 R2 Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=4f7b6a93-0307-480f-a5af-a20268cbd7cc)
-
-**Windows Server 2003 SP1(x86), x64, and IA64**
-
- - [Windows Server 2003 with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=8a26829f-c177-4b79-913a-4135fb7b96ef)
- - [Windows Server 2003 with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=3f9ecd0a-74dd-4d23-a4e5-d7b63fed70e8)
-
-**Windows Server 2003 SP1**
-
- - [Windows Server 2003 Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=75736009-59e9-4a71-879e-cf581817b8cc)
- - [Windows Server 2003 Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=a0ad1856-beb7-4285-b47c-381e8a210c38)
-
-**Windows XP Professional SP2 (x86) and x64 Edition**
-
- - [Windows XP Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=9a7f0b16-72ce-4675-aec8-58785c4e37ee)
- - [Windows XP Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=165da57d-f066-4ddf-9462-cbecfcd68694)
- - [Windows XP Common Criteria User Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=7c1a4761-9b9e-429c-84eb-cd7b034c5779)
- - [Windows XP Professional with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=346f041e-d641-4af7-bdea-c5a3246d0431)
- - [Windows XP Professional with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=a7075319-cc3d-4420-a00b-8c9a7068ad54)
- - [Windows XP Professional with x64 Hardware User’s Guide](http://www.microsoft.com/downloads/details.aspx?familyid=26c49cf5-6159-4197-97ce-bf1fdfc54569)
-
-**Windows XP Professional SP2, and XP Embedded SP2**
-
- - [Windows XP Professional Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9bcac470-a0b3-4d34-a561-fa8308c0ff60)
- - [Windows XP Professional Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9f04915e-571a-422d-8ffa-5797051e81de)
- - [Windows XP Professional User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=d39d0028-7093-495c-80da-2b5b29a54bd8)
-
-**Windows Server 2003 Certificate Server**
-
- - [Windows Server 2003 Certificate Server Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d)
- - [Windows Server 2003 Certificate Server Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=46abc8b5-11be-4e3d-85c2-63226c3688d2)
- - [Windows Server 2003 Certificate Server User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=74f66d84-2654-48d0-b9b5-b383d383425e)
-
-## Common Criteria Evaluation Technical Reports and Certification / Validation Reports
-
-### Information for Systems Integrators and Accreditors
-
-An Evaluation Technical Report (ETR) is a report submitted to the Common Criteria certification authority for how Windows complies with the claims made in the Security Target. A Certification / Validation Report provides the results of the evaluation by the validation team.
-
- - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf)
- - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf)
- - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf)
- - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf)
- - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf)
- - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf)
- - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf)
- - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf)
- - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf)
- - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10694-vr.pdf)
- - [Windows 10 and Windows Server 2012 R2](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf)
- - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-vr.pdf)
- - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-vr.pdf)
- - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-vr.pdf)
- - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-vr.pdf)
- - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-vr.pdf)
- - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-vr.pdf)
- - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf)
- - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf)
- - [Windows 7 and Windows Server 2008 R2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf)
- - [Windows Vista and Windows Server 2008 Validation Report at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf)
- - [Windows Server 2008 Hyper-V Role Certification Report](http://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf)
- - [Windows Vista and Windows Server 2008 Certification Report at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf)
- - [Windows XP / Windows Server 2003 with x64 Hardware ETR](http://www.microsoft.com/downloads/details.aspx?familyid=6e8d98f9-25b9-4c85-9bd9-24d91ea3c9ef)
- - [Windows XP / Windows Server 2003 with x64 Hardware ETR, Part II](http://www.microsoft.com/downloads/details.aspx?familyid=0c35e7d8-9c56-4686-b902-d5ffb9915658)
- - [Windows Server 2003 SP2 including R2, Standard, Enterprise, Datacenter, x64, and Itanium Editions Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
- - [Windows XP Professional SP2 and x64 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
- - [Windows XP Embedded SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
- - [Windows XP and Windows Server 2003 ETR](http://www.microsoft.com/downloads/details.aspx?familyid=63cf2a1e-f578-4bb5-9245-d411f0f64265)
- - [Windows XP and Windows Server 2003 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9506-vr.pdf)
- - [Windows Server 2003 Certificate Server ETR](http://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314)
- - [Windows Server 2003 Certificate Server Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf)
- - [Microsoft Windows Rights Management Services (RMS) 1.0 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf)
-
-## Other Common Criteria Related Documents
-
- - [Identifying Windows XP and Windows Server 2003 Common Criteria Certified Requirements for the NIST Special Publication 800-53](https://download.microsoft.com/download/a/9/6/a96d1dfc-2bd4-408d-8d93-e0ede7529691/xpws03_ccto800-53.doc)
-
+---
+title: Common Criteria Certifications
+description: This topic details how Microsoft supports the Common Criteria certification program.
+ms.prod: w10
+audience: ITPro
+author: dulcemontemayor
+ms.author: dolmont
+manager: dansimp
+ms.collection: M365-identity-device-management
+ms.topic: article
+ms.localizationpriority: medium
+ms.date: 3/20/2019
+ms.reviewer:
+---
+
+# Common Criteria Certifications
+
+Microsoft is committed to optimizing the security of its products and services. As part of that commitment, Microsoft supports the Common Criteria certification program, continues to ensure that products incorporate the features and functions required by relevant Common Criteria protection profiles, and completes Common Criteria certifications of Microsoft Windows products.
+
+## Common Criteria Security Targets
+
+### Information for Systems Integrators and Accreditors
+
+The Security Target describes security functionality and assurance measures used to evaluate Windows.
+
+ - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf)
+ - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf)
+ - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf)
+ - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf)
+ - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx)
+ - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20\(december%202%202016\)%20\(clean\).docx)
+ - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/b/f/5/bf59e430-e57b-462d-8dca-8ac3c93cfcff/windows%2010%20anniversary%20update%20ipsec%20vpn%20client%20security%20target%20-%20public%20\(december%2029%202016\)%20\(clean\).docx)
+ - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/7/2/372beb03-b1ed-4bb6-9b9b-b8f43afc570d/st_vid10746-st.pdf)
+ - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/a/c/2/ac2a6ed8-4d2f-4f48-a9bf-f059d6c9af38/windows%2010%20mdf3%20security%20target%20-%20public%20\(june%2022%202016\)\(final\).docx)
+ - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10677-st.pdf)
+ - [Windows 10 and Windows Server 2012 R2](http://www.commoncriteriaportal.org/files/epfiles/st_windows10.pdf)
+ - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-st.pdf)
+ - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-st.pdf)
+ - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-st.pdf)
+ - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-st.pdf)
+ - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-st.pdf)
+ - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-st.pdf)
+ - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf)
+ - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf)
+ - [Windows 7 and Windows Server 2008 R2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf)
+ - [Microsoft Windows Server 2008 R2 Hyper-V Role](http://www.microsoft.com/download/en/details.aspx?id=29305)
+ - [Windows Vista and Windows Server 2008 at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf)
+ - [Microsoft Windows Server 2008 Hyper-V Role](http://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf)
+ - [Windows Vista and Windows Server 2008 at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf)
+ - [Windows Server 2003 SP2 including R2, x64, and IA64; Windows XP Professional SP2 and x64 SP2; and Windows XP Embedded SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10184-st.pdf)
+ - [Windows Server 2003 Certificate Server](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf)
+ - [Windows Rights Management Services (RMS) 1.0 SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf)
+
+## Common Criteria Deployment and Administration
+
+### Information for IT Administrators
+
+These documents describe how to configure Windows to replicate the configuration used during the Common Criteria evaluation.
+
+**Windows 10, Windows 10 Mobile, Windows Server 2016, Windows Server 2012 R2**
+
+
+ - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf)
+ - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf)
+ - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf)
+ - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf)
+ - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx)
+ - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/b/5/2/b52e9081-05c6-4895-91a3-732bfa0eb4da/windows%2010%20au%20and%20server%202016%20gp%20os%20operational%20guidance%20\(final\).docx)
+ - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client Operational Guidance](https://download.microsoft.com/download/2/c/c/2cc8f929-233e-4a40-b673-57b449680984/windows%2010%20au%20and%20server%202016%20ipsec%20vpn%20client%20operational%20guidance%20\(21%20dec%202016\)%20\(public\).docx)
+ - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/3/f/33fa01dd-b380-46e1-833f-fd85854b4022/st_vid10746-agd.pdf)
+ - [Microsoft Windows 10 November 2015 Update with Surface Book Administrative Guide](https://download.microsoft.com/download/3/2/c/32c6fa02-b194-478f-a0f6-0215b47d0f40/windows%2010%20mdf3%20mobile%20device%20pp%20operational%20guidance%20\(may%2027,%202016\)\(public\).docx)
+ - [Microsoft Windows 10 Mobile and Windows 10 Administrative Guide](https://download.microsoft.com/download/2/d/c/2dce3435-9328-48e2-9813-c2559a8d39fa/microsoft%20windows%2010%20and%20windows%2010%20mobile%20guidance.pdf)
+ - [Windows 10 and Windows Server 2012 R2 Administrative Guide](https://download.microsoft.com/download/0/f/d/0fd33c9a-98ac-499e-882f-274f80f3d4f0/microsoft%20windows%2010%20and%20server%202012%20r2%20gp%20os%20guidance.pdf)
+ - [Windows 10 Common Criteria Operational Guidance](https://download.microsoft.com/download/d/6/f/d6fb4cec-f0f2-4d00-ab2e-63bde3713f44/windows%2010%20mobile%20device%20operational%20guidance.pdf)
+
+**Windows 8.1 and Windows Phone 8.1**
+
+ - [Microsoft Surface Pro 3 Common Criteria Mobile Operational Guidance](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx)
+ - [Windows 8.1 and Windows Phone 8.1 CC Supplemental Admin Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx)
+
+**Windows 8, Windows RT, and Windows Server 2012**
+
+ - [Windows 8 and Windows Server 2012](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx)
+ - [Windows 8 and Windows RT](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx)
+ - [Windows 8 and Windows Server 2012 BitLocker](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf)
+ - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx)
+
+**Windows 7 and Windows Server 2008 R2**
+
+ - [Windows 7 and Windows Server 2008 R2 Supplemental CC Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00)
+ - [Windows Server 2008 R2 Hyper-V Common Criteria Configuration Guide](http://www.microsoft.com/download/en/details.aspx?id=29308)
+
+**Windows Vista and Windows Server 2008**
+
+ - [Windows Vista and Windows Server 2008 Supplemental CC Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567)
+ - [Windows Server 2008 Hyper-V Role Common Criteria Administrator Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08)
+
+**Windows Server 2003 SP2 including R2, x64, and Itanium**
+
+ - [Windows Server 2003 SP2 R2 Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=39598841-e693-4891-9234-cfd1550f3949)
+ - [Windows Server 2003 SP2 R2 Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=4f7b6a93-0307-480f-a5af-a20268cbd7cc)
+
+**Windows Server 2003 SP1(x86), x64, and IA64**
+
+ - [Windows Server 2003 with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=8a26829f-c177-4b79-913a-4135fb7b96ef)
+ - [Windows Server 2003 with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=3f9ecd0a-74dd-4d23-a4e5-d7b63fed70e8)
+
+**Windows Server 2003 SP1**
+
+ - [Windows Server 2003 Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=75736009-59e9-4a71-879e-cf581817b8cc)
+ - [Windows Server 2003 Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=a0ad1856-beb7-4285-b47c-381e8a210c38)
+
+**Windows XP Professional SP2 (x86) and x64 Edition**
+
+ - [Windows XP Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=9a7f0b16-72ce-4675-aec8-58785c4e37ee)
+ - [Windows XP Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=165da57d-f066-4ddf-9462-cbecfcd68694)
+ - [Windows XP Common Criteria User Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=7c1a4761-9b9e-429c-84eb-cd7b034c5779)
+ - [Windows XP Professional with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=346f041e-d641-4af7-bdea-c5a3246d0431)
+ - [Windows XP Professional with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=a7075319-cc3d-4420-a00b-8c9a7068ad54)
+ - [Windows XP Professional with x64 Hardware User’s Guide](http://www.microsoft.com/downloads/details.aspx?familyid=26c49cf5-6159-4197-97ce-bf1fdfc54569)
+
+**Windows XP Professional SP2, and XP Embedded SP2**
+
+ - [Windows XP Professional Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9bcac470-a0b3-4d34-a561-fa8308c0ff60)
+ - [Windows XP Professional Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9f04915e-571a-422d-8ffa-5797051e81de)
+ - [Windows XP Professional User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=d39d0028-7093-495c-80da-2b5b29a54bd8)
+
+**Windows Server 2003 Certificate Server**
+
+ - [Windows Server 2003 Certificate Server Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d)
+ - [Windows Server 2003 Certificate Server Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=46abc8b5-11be-4e3d-85c2-63226c3688d2)
+ - [Windows Server 2003 Certificate Server User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=74f66d84-2654-48d0-b9b5-b383d383425e)
+
+## Common Criteria Evaluation Technical Reports and Certification / Validation Reports
+
+### Information for Systems Integrators and Accreditors
+
+An Evaluation Technical Report (ETR) is a report submitted to the Common Criteria certification authority for how Windows complies with the claims made in the Security Target. A Certification / Validation Report provides the results of the evaluation by the validation team.
+
+ - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf)
+ - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf)
+ - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf)
+ - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf)
+ - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf)
+ - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf)
+ - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf)
+ - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf)
+ - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf)
+ - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10694-vr.pdf)
+ - [Windows 10 and Windows Server 2012 R2](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf)
+ - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-vr.pdf)
+ - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-vr.pdf)
+ - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-vr.pdf)
+ - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-vr.pdf)
+ - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-vr.pdf)
+ - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-vr.pdf)
+ - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf)
+ - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf)
+ - [Windows 7 and Windows Server 2008 R2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf)
+ - [Windows Vista and Windows Server 2008 Validation Report at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf)
+ - [Windows Server 2008 Hyper-V Role Certification Report](http://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf)
+ - [Windows Vista and Windows Server 2008 Certification Report at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf)
+ - [Windows XP / Windows Server 2003 with x64 Hardware ETR](http://www.microsoft.com/downloads/details.aspx?familyid=6e8d98f9-25b9-4c85-9bd9-24d91ea3c9ef)
+ - [Windows XP / Windows Server 2003 with x64 Hardware ETR, Part II](http://www.microsoft.com/downloads/details.aspx?familyid=0c35e7d8-9c56-4686-b902-d5ffb9915658)
+ - [Windows Server 2003 SP2 including R2, Standard, Enterprise, Datacenter, x64, and Itanium Editions Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
+ - [Windows XP Professional SP2 and x64 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
+ - [Windows XP Embedded SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
+ - [Windows XP and Windows Server 2003 ETR](http://www.microsoft.com/downloads/details.aspx?familyid=63cf2a1e-f578-4bb5-9245-d411f0f64265)
+ - [Windows XP and Windows Server 2003 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9506-vr.pdf)
+ - [Windows Server 2003 Certificate Server ETR](http://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314)
+ - [Windows Server 2003 Certificate Server Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf)
+ - [Microsoft Windows Rights Management Services (RMS) 1.0 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf)
+
+## Other Common Criteria Related Documents
+
+ - [Identifying Windows XP and Windows Server 2003 Common Criteria Certified Requirements for the NIST Special Publication 800-53](https://download.microsoft.com/download/a/9/6/a96d1dfc-2bd4-408d-8d93-e0ede7529691/xpws03_ccto800-53.doc)
+
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/TOC.md b/windows/security/threat-protection/windows-security-configuration-framework/TOC.md
index 8ea1c320ba..4d844ddf4c 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/TOC.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/TOC.md
@@ -4,8 +4,8 @@
### [Security Compliance Toolkit](security-compliance-toolkit-10.md)
### [Get support](get-support-for-security-baselines.md)
## [Windows security configuration framework](windows-security-configuration-framework.md)
-### [Level 5 enterprise security](level-5-enterprise-security.md)
-### [Level 4 enterprise high security](level-4-enterprise-high-security.md)
-### [Level 3 enterprise VIP security](level-3-enterprise-vip-security.md)
-### [Level 2 enterprise dev/ops workstation](level-2-enterprise-devops-security.md)
-### [Level 1 enterprise administrator workstation](level-1-enterprise-administrator-security.md)
+### [Level 1 enterprise basic security](level-1-enterprise-basic-security.md)
+### [Level 2 enterprise enhanced security](level-2-enterprise-enhanced-security.md)
+### [Level 3 enterprise high security](level-3-enterprise-high-security.md)
+### [Level 4 enterprise dev/ops workstation](level-4-enterprise-devops-security.md)
+### [Level 5 enterprise administrator workstation](level-5-enterprise-administrator-security.md)
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png b/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png
index 06f66acf99..242f5dd9bc 100644
Binary files a/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png and b/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png differ
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-classification.png b/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-classification.png
deleted file mode 100644
index 75467f2098..0000000000
Binary files a/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-classification.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-deployment-methodologies.png b/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-deployment-methodologies.png
deleted file mode 100644
index 4f869474e2..0000000000
Binary files a/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-deployment-methodologies.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md
new file mode 100644
index 0000000000..60e0c1e82c
--- /dev/null
+++ b/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md
@@ -0,0 +1,358 @@
+---
+title: Level 1 enterprise basic security configuration
+description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 1 enterprise security configuration.
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.author: appcompatguy
+author: appcompatguy
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 05/29/2019
+---
+
+# Level 1 Enterprise Basic Security configuration
+
+**Applies to**
+
+- Windows 10
+
+Level 1 is the minimum security configuration for an enterprise device.
+Microsoft recommends the following configuration for level 1 devices.
+
+## Hardware
+
+Devices targeting Level 1 should support the following hardware features:
+
+- [Trusted Platform Module (TPM) 2.0](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-tpm)
+- [Bitlocker Drive Encryption](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-bitlocker)
+- [UEFI Secure Boot](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-secure-boot)
+- Drivers and Firmware Distributed through Windows Update
+
+## Policies
+
+The policies in level 1 enforce a reasonable security level while minimizing the impact to users or to applications.
+Microsoft recommends using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for these security configurations and controls, noting that the timeline can generally be short given the limited potential impact of the security controls.
+
+### Security Template Policies
+
+| Feature | Policy Setting | Policy Value | Description |
+|-------------------------|--------------------------------------------------------------------------------------------------|---------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Account Lockout | Account Lockout Duration | 15 | The number of minutes a locked-out account remains locked out before automatically becoming unlocked. If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time. |
+| Account Lockout | Account Lockout Threshold | 10 | The number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. |
+| Account Lockout | Reset account lockout conter after | 15 | The number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. |
+| Password Policy | Enforce password history | 24 | The number of unique new passwords that must be associated with a user account before an old password can be reused. |
+| Password Policy | Minimum password length | 14 | The least number of characters that a password for a user account may contain. |
+| Password Policy | Password must meet complexity requirements | Enabled | Determines whether passwords must meet complexity requirements:
1) Not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither check is case sensitive.
The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed to not be included in the password. Tokens that are less than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.
2) Contain characters from three of the following categories:
- Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
- Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
- Base 10 digits (0 through 9)
-Non-alphanumeric characters (special characters):
(~!@#$%^&*_-+=`\|\\(){}[]:;"'<>,.?/)
Currency symbols such as the Euro or British Pound are not counted as special characters for this policy setting.
- Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. |
+| Password Policy | Store passwords using reversible encryption | Disabled | Determines whether the operating system stores passwords using reversible encryption. |
+| Security Options | Accounts: Limit local account use of blank passwords to console logon only | Enabled | This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. |
+| Security Options | Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings | Enabled | Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. Group Policy only allows audit policy to be set at the category level, and existing Group Policy may override the subcategory settings of new machines as they are joined to the domain or upgraded. To allow audit policy to be managed using subcategories without requiring a change to Group Policy, there is a new registry value in Windows Vista and later versions, SCENoApplyLegacyAuditPolicy, which prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool. |
+| Security Options | Domain member: Digitally encrypt or sign secure channel data (always) | Enabled | This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. This setting determines whether all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:
- Domain member: Digitally encrypt secure channel data (when possible)
- Domain member: Digitally sign secure channel data (when possible) |
+| Security Options | Domain member: Digitally encrypt secure channel data (when possible) | Enabled | This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise, only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption. |
+| Security Options | Domain member: Digitally sign secure channel data (when possible) | Enabled | This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed, which ensures that it cannot be tampered with in transit. |
+| Security Options | Domain member: Disable machine account password changes | Disabled | Determines whether a domain member periodically changes its computer account password. |
+| Security Options | Domain member: Maximum machine account password age | 30 | Determines how often a domain member will attempt to change its computer account password |
+| Security Options | Domain member: require strong (Windows 2000 or later) session key | Enabled | Determines whether 128-bit key strength is required for encrypted secure channel data |
+| Security Options | Interactive logon: Machine inactivity limit | 900 | The number of seconds of inactivity before the session is locked |
+| Security Options | Interactive logon: Smart card removal behavior | Lock Workstation | This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. If you click **Lock Workstation** in the **Properties** for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart cards with them, and still maintain protected sessions. For this setting to work beginning with Windows Vista, the Smart Card Removal Policy service must be started. |
+| Security Options | Microsoft network client: Digitally sign communications (always) | Enabled | This security setting determines whether packet signing is required by the SMB client component. |
+| Security Options | Microsoft network client: Send unencrypted password to third party SMB servers| Disabled | If this security setting is enabled, the Server Message Block (SMB) redirector can send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. Sending unencrypted passwords is a security risk. |
+| Security Options | Microsoft network server: Digitally sign communications (always) | Enabled | This security setting determines whether packet signing is required by the SMB server component. |
+| Security Options | Network access: Allow anonymous SID/Name translation | Disabled | This security setting determines if an anonymous user can request security identifier (SID) attributes for another user. If this policy is enabled, a user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. |
+| Security Options | Network access: Do not allow anonymous enumeration of SAM accounts | Enabled | This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. This security option allows additional restrictions to be placed on anonymous connections as follows: Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. |
+| Security Options | Network access: Do not allow anonymous enumeration of SAM accounts and shares | Enabled | This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy. |
+| Security Options | Network access: Restrict anonymous access to Named Pipes and Shares | Enabled | When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:
- Network access: Named pipes that can be accessed anonymously
- Network access: Shares that can be accessed anonymously |
+| Security Options | Network access: Restrict clients allowed to make remote calls to SAM | O:BAG:BAD:(A;;RC;;;BA) | This policy setting allows you to restrict remote RPC connections to SAM. If not selected, the default security descriptor will be used. |
+| Security Options | Network security: Allow LocalSystem NULL session fallback | Disabled | Allow NTLM to fall back to NULL session when used with LocalSystem |
+| Security Options | Network security: Do not store LAN Manager hash value on next password change | Enabled | This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. |
+| Security Options | Network security: LAN Manager authentication level | Send NTLMv2 response only. Refuse LM & NTLM | This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: Send NTLMv2 response only\\refuse LM & NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). |
+| Security Options | Network security: LDAP client signing requirements | Negotiate signing | This security setting determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests, as follows: Negotiate signing: If Transport Layer Security/Secure Sockets Layer (TLS\\SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the options specified by the caller. If TLS\\SSL has been started, the LDAP BIND request is initiated with the options that are specified by the caller. |
+| Security Options | Network security: Minimum session security for NTLM SSP based (including secure RPC) clients | Require NTLMv2 session security and Require 128-bit encryption | This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. |
+| Security Options | Network security: Minimum session security for NTLM SSP based (including secure RPC) servers | Require NTLMv2 session security and Require 128-bit encryption | This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. |
+| Security Options | System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) | Enabled | This security setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. If this policy is enabled, the default DACL is stronger, allowing users who are not administrators to read shared objects but not allowing these users to modify shared objects that they did not create. |
+| Security Options | User Account Control: Admin approval mode for the built-in administrator | Enabled | The built-in Administrator account uses Admin Approval Mode - any operation that requires elevation of privilege will prompt to user to approve that operation |
+| Security Options | User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent on the secure desktop | When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. |
+| Security Options | User Account Control: Detect application installations and prompt for elevation | Enabled | When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. |
+| Security Options | User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled | This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - …\\Program Files\\, including subfolders - …\\Windows\\system32\\ - …\\Program Files (x86)\\, including subfolders for 64-bit versions of Windows |
+| Security Options | User Account Control: Run all Administrators in admin approval mode | Enabled | This policy must be enabled, and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. |
+| Security Options | User Account Control: Virtualize file and registry write failures to per-user locations | Enabled | This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software. |
+| User Rights Assignments | Access Credential Manager as a trusted caller | No One (blank) | This setting is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users saved credentials might be compromised if this privilege is given to other entities.|
+| User Rights Assignment | Access this computer from the network | Administrators; Remote Desktop Users | This user right determines which users and groups can connect to the computer over the network. Remote Desktop Services are not affected by this user right. |
+| User Rights Assignments | Act as part of the operating system | No One (blank) | This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. |
+| User Rights Assignments | Allow log on locally | Administrators; Users | Determines which users can log on to the computer |
+| User Rights Assignments | Back up files and directories | Administrators | Determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system |
+| User Rights Assignments | Create a pagefile | Administrators | Determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file |
+| User Rights Assignments | Create a token object | No One (blank) | Determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. |
+| User Rights Assignments | Create global objects | Administrators; LOCAL SERVICE; NETWORK SERVICE; SERVICE | This security setting determines whether users can create global objects that are available to all sessions. |
+| User Rights Assignments | Create permanent shared objects | No One (blank) | Determines which accounts can be used by processes to create a directory object using the object manager |
+| User Rights Assignments | Debug programs | Administrators | Determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. |
+| User Rights Assignment | Enable computer and user accounts to be trusted for delegation | No One (blank) | This security setting determines which users can set the Trusted for Delegation setting on a user or computer object. |
+| User Rights Assignments | Force shutdown from a remote system | Administrators | Determines which users can shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. |
+| User Rights Assignment | Impersonate a client after authentication | Administrators, SERVICE, Local Service, Network Service | Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. |
+| User Rights Assignments | Load and unload device drivers | Administrators | Determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
+| User Rights Assignment | Lock pages in memory | No One (blank) | Determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random-access memory (RAM). |
+| User Rights Assignments | Manage auditing and security log | Administrators | Determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. |
+| User Rights Assignments | Modify firmware environment variables | Administrators | Determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. |
+| User Rights Assignment | Perform volume maintenance tasks | Administrators | This security setting determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. |
+| User Rights Assignment | Profile single process | Administrators | This security setting determines which users can use performance monitoring tools to monitor the performance of non-system processes. |
+| User Rights Assignments | Restore files and directories | Administrators | Determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object |
+| User Rights Assignments | Take ownership of files or other objects | Administrators | Determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads |
+
+### Advanced Audit Policies
+
+| Feature | Policy Setting | Policy Value | Description |
+|---------|----------------|--------------|-------------|
+| Account Logon | Audit Credential Validation | Success and Failure | Audit events generated by validation tests on user account logon credentials. Occurs only on the computer that is authoritative for those credentials. |
+| Account Management | Audit Security Group Management | Success | Audit events generated by changes to security groups, such as creating, changing or deleting security groups, adding or removing members, or changing group type. |
+| Account Management | Audit User Account Management | Success and Failure | Audit changes to user accounts. Events include creating, changing, deleting user accounts; renaming, disabling, enabling, locking out, or unlocking accounts; setting or changing a user account’s password; adding a security identifier (SID) to the SID History of a user account; configuring the Directory Services Restore Mode password; changing permissions on administrative user accounts; backing up or restoring Credential Manager credentials |
+| Detailed Tracking | Audit PNP Activity | Success | Audit when plug and play detects an external device |
+| Detailed Tracking | Audit Process Creation | Success | Audit events generated when a process is created or starts; the name of the application or user that created the process is also audited |
+| Logon/ Logoff | Audit Account Lockout | Failure | Audit events generated by a failed attempt to log on to an account that is locked out |
+| Logon/ Logoff | Audit Group Membership | Success | Audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. |
+| Logon/ Logoff | Audit Logon | Success and Failure | Audit events generated by user account logon attempts on the computer |
+| Logon/ Logoff | Audit Other Logon / Logoff Events | Success and Failure | Audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting, such as Terminal Services session disconnections, new Terminal Services sessions locking and unlocking a workstation, invoking or dismissing a screen saver, detection of a Kerberos replay attack, or access to a wireless network granted to a user or computer account |
+| Logon/ Logoff | Audit Special Logon | Success | Audit events generated by special logons such as the use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level, or a logon by a member of a Special Group (Special Groups enable you to audit events generated when a member of a certain group has logged on to your network) |
+| Object Access | Audit Detailed File Share | Failure | Audit attempts to access files and folders on a shared folder; the Detailed File Share setting logs an event every time a file or folder is accessed |
+| Object Access | Audit File Share | Success and Failure | Audit attempts to access a shared folder; an audit event is generated when an attempt is made to access a shared folder |
+| Object Access | Audit Other Object Access Events | Success and Failure | Audit events generated by the management of task scheduler jobs or COM+ objects |
+| Object Access | Audit Removable Storage | Success and Failure | Audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. |
+| Policy Change | Audit Audit Policy Change | Success | Audit changes in the security audit policy settings |
+| Policy Change | Audit Authentication Policy Change | Success | Audit events generated by changes to the authentication policy |
+| Policy Change | Audit MPSSVC Rule-Level Policy Change | Success and Failure | Audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. |
+| Policy Change | Audit Other Policy Change Events | Failure | Audit events generated by other security policy changes that are not audited in the policy change category, such as Trusted Platform Module (TPM) configuration changes, kernel-mode cryptographic self tests, cryptographic provider operations, cryptographic context operations or modifications, applied Central Access Policies (CAPs) changes, or boot Configuration Data (BCD) modifications |
+| Privilege Use | Audit Sensitive Privilege Use | Success and Failure | Audit events generated when sensitive privileges (user rights) are used |
+| System | Audit Other System Events | Success and Failure | Audit any of the following events: Startup and shutdown of the Windows Firewall service and driver, security policy processing by the Windows Firewall Service, cryptography key file and migration operations. |
+| System | Audit Security State Change | Success | Audit events generated by changes in the security state of the computer such as startup and shutdown of the computer, change of system time, recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. |
+| System | Audit Security System Extension | Success | Audit events related to security system extensions or services |
+| System | Audit System Integrity | Success and Failure | Audit events that violate the integrity of the security subsystem |
+
+### Windows Defender Firewall Policies
+
+| Feature | Policy Setting | Policy Value | Description |
+|---------|----------------|--------------|-------------|
+| Domain Profile / State | Firewall State | On | Enables the firewall when connected to the domain profile |
+| Domain Profile / State | Inbound Connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the domain profile |
+| Domain Profile / State | Outbound Connections | Allow | Outbound connections for which there is no rule blocking the connection will be allowed in the domain profile |
+| Domain Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the domain profile |
+| Domain Profile / Logging | Size Limit | 16384 | Sets the firewall log file size for a domain connection |
+| Domain Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a domain connection |
+| Domain Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a domain connection |
+| Private Profile / State | Firewall State | On | Enables the firewall when connected to the private profile |
+| Private Profile / State | Inbound Connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the private profile |
+| Private Profile / State | Outbound Connections | Allow | Outbound connections for which there is no rule blocking the connection will be allowed in the private profile |
+| Private Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the private profile |
+| Private Profile / Logging | Size Limit | 16384 | Sets the firewall log file size for a private connection |
+| Private Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a private connection |
+| Private Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a private connection |
+| Public Profile / State | Firewall State | On | Enables the firewall when connected to the public profile |
+| Public Profile / State | Inbound Connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the public profile |
+| Public Profile / State | Outbound Connections | Allow | Outbound connections for which there is no rule blocking the connection will be allowed in the public profile |
+| Public Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the public profile |
+| Public Profile / Settings | Apply local firewall rules | No | Users cannot create new firewall rules |
+| Public Profile / Settings | Apply local connection security rules | No | Ensures local connection rules will not be merged with Group Policy settings in the domain |
+| Public Profile / Logging | Size Limit | 16384 | Sets the firewall log file size for a public connection |
+| Public Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a public connection |
+| Public Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a public connection |
+
+### Computer Policies
+
+| Feature | Policy Setting | Policy Value | Description |
+|---------|----------------|--------------|-------------|
+| LAPS | Enable local admin password management | Enabled | Activates LAPS for the device |
+| MS Security Guide | Apply UAC restrictions to local accounts on network logon | Enabled | Filters the user account token for built-in administrator accounts for network logons |
+| MS Security Guide | Configure SMB v1 client driver | Disable driver (recommended) | Configure the startup mode for the kernel mode driver that implements client-side SMBv1 processing (MrxSmb10). This setting includes a dropdown that is activated when the Enabled radio button is selected and that controls the “Start” registry value in HKLM\\SYSTEM\\CurrentControlSet\\Services\\MrxSmb10. |
+| MS Security Guide | Configure SMB v1 server | Disabled | Disable or enable server-side processing of the SMBv1 protocol |
+| MS Security Guide | Enabled Structured Exception Handling Overwrite Protection (SEHOP)| Enabled | This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option. We recommend that Windows users who are running any of the above operating systems enable this feature to improve the security profile of their systems. |
+| MS Security Guide | NetBT NodeType Configuration | P-node (recommended) | The NetBT NodeType setting determines what methods NetBT uses to register and resolve names:
- A B-node computer uses broadcasts.
- A P-node computer uses only point-to-point name queries to a name server (WINS).
- An M-node computer broadcasts first, and then queries the name server.
- An H-node computer queries the name server first, and then broadcasts.
Resolution through LMHOSTS or DNS follows these methods. If the NodeType value is present, it overrides any DhcpNodeType value.
If neither NodeType nor DhcpNodeType is present, the computer uses B-node if there are no WINS servers configured for the network, or H-node if there is at least one WINS server configured. |
+| MS Security Guide | WDigest Authentication | Disabled | When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. WDigest is disabled by default in Windows 10. This setting ensures this is enforced. |
+| MSS | MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (Protects against packet spoofing) | Highest Protection, source routing is completely disabled | Allowing source routed network traffic allows attackers to obscure their identity and location. |
+| MSS | MSS: (DisableIPSourceRouting) IP source routing protection level (Protects against packet spoofing) | Highest Protection, source routing is completely disabled | Allowing source routed network traffic allows attackers to obscure their identity and location. |
+| MSS | MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes | Disabled | Allowing ICMP redirect of routes can lead to traffic not being routed properly. When disabled, this forces ICMP to be routed via shortest path first. |
+| MSS | MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers | Enabled | Prevents a denial-of-service (DoS) attack against a WINS server. The DoS consists of sending a NetBIOS Name Release Request to the server for each entry in the server's cache, causing a response delay in the normal operation of the server's WINS resolution capability. |
+| Network / DNS Client | Turn off multicast name resolution | Enabled | Specifies that link local multicast name resolution (LLMNR) is disabled on client computers.
LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible.
If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer.
If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters.|
+| Network / Lanman Workstation | Enable insecure guest logons | Disabled | Determines if the SMB client will allow insecure guest logons to an SMB server |
+| Network / Network Connections | Prohibit use of Internet Connection Sharing on your DNS domain network | Enabled | Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. |
+| Network / Network Provider | Hardened UNC Paths | \\\\\*\\SYSVOL and \\\\\*\\NETLOGON RequireMutualAuthentication = 1, RequireIntegrity = 1 | This policy setting configures secure access to UNC paths. If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. |
+| Network / Windows Connection Manager | Prohibit connection to non-domain networks when connected to domain authenticated network | Enabled | This policy setting prevents computers from connecting to both a domain-based network and a non-domain-based network at the same time. |
+| System / Credentials Delegation | Encryption Oracle Remediation | Force Updated Clients | Enryption Oracle Remediation |
+| System / Credentials Delegation | Remote host allows delegation of non-exportable credentials | Enabled | When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode. |
+| System / Device Installation / Device Installation Restrictions | Prevent installation of devices that match any of these device IDs | [[[main setting]]] = Enabled
Also apply to matching devices that are already installed = True
1 = PCI\CC_0C0A | This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. if you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in a list that you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. |
+| System / Device Installation / Device Installation Restrictions | Prevent installation of devices using drivers that match these device setup classes | [[[main setting]]] = Enabled
Also apply to matching devices that are already installed = True
1 = {d48179be-ec20-11d1-b6b8-00c04fa372a7} | This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. if you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. |
+| System / Early Launch Antimalware | Boot-Start Driver Initialization Policy | Good, unknown and bad but critical | Allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:
- Good: The driver has been signed and has not been tampered with.
- Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.
- Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.
- Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver.
If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started.
If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped.
If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. |
+| System / Group Policy | Configure registry policy processing | Process even if the Group Policy objects have not changed = True
Do not apply during periodic background processing = False | Determines when registry policies are updated.
This policy setting affects all policies in the Administrative Templates folder and any other policies that store values in the registry. It overrides customized settings that the program implementing a registry policy set when it was installed.
If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system.
The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart.
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. |
+| System / Internet Communication Management / Internet Communication settings| Turn off Internet download for Web publishing and online ordering wizards | Enabled | This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards. These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry. |
+| System / Kernel DMA Protection | Enumeration policy for external devices incompatible with Kernel DMA Protection | Block all | Enumeration policy for external DMA-capable devices incompatible with DMA remapping. This policy only takes effect when Kernel DMA Protection is enabled and supported by the system. Note: this policy does not apply to 1394, PCMCIA or ExpressCard devices. |
+| System / Power Management / Sleep Settings | Require a password when a computer wakes (on battery) | Enabled | Specifies whether the user is prompted for a password when the system resumes from sleep |
+| System / Power Management / Sleep Settings | Require a password when a computer wakes (plugged in) | Enabled | Specifies whether the user is prompted for a password when the system resumes from sleep |
+| System / Remote Procedure Call | Restrict Unauthenticated RPC clients | Authenticated | Controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. |
+| System / Service Control Manager Settings / Security Settings | Enable svchost.exe mitigation options | Enabled | Enables process mitigation options on svchost.exe processes.
If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. This includes a policy requiring all binaries loaded in these processes to be signed by microsoft, as well as a policy disallowing dynamically-generated code.
If you disable or do not configure this policy setting, these stricter security settings will not be applied. |
+| Windows Components / App runtime | Allow Microsoft accounts to be optional | Enabled | Lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. |
+| Windows Components / AutoPlay Policies | Disallow Autoplay for non-volume devices | Enabled | Disallows AutoPlay for MTP devices like cameras or phones. |
+| Windows Components / AutoPlay Policies | Set the default behavior for AutoRun | Do not execute any autorun commands | Sets the default behavior for Autorun commands. |
+| Windows Components / AutoPlay Policies | Turn off Autoplay | All Drives | Allows you to turn off the Autoplay feature. |
+| Windows Components / Biometrics / Facial Features | Configure enhanced anti-spoofing | Enabled | Determines whether enhanced anti-spoofing is required for Windows Hello face authentication |
+| Windows Components / BitLocker Drive Encryption | Disable new DMA devices when this computer is locked | Enabled | Allows you to block direct memory access (DMA) for all Thunderbolt hot pluggable PCI downstream ports until a user logs into Windows |
+| Windows Components / BitLocker Drive Encryption / Operating System Drives | Allow enhanced PINs for startup | Enabled | Allows you to configure whether enhanced startup PINs are used with BitLocker |
+| Windows Components / Event Log Service / Application | Specify the maximum log file size (KB) | 32768 | Specifies the maximum size of the log file in kilobytes. |
+| Windows Components / Event Log Service / Security | Specify the maximum log file size (KB) | 196608 | Specifies the maximum size of the log file in kilobytes. |
+| Windows Components / Event Log Service / System | Specify the maximum log file size (KB) | Enabled: 32768 | Specifies the maximum size of the log file in kilobytes. |
+| Windows Components / File Explorer | Configure Windows Defender SmartScreen | [[[main setting]]] = Enabled
Pick one of the following settings = Warn and prevent bypass | Configure whether to turn on Windows Defender SmartScreen to provide warning messages to help protect your employees from potential phishing scams and malicious software|
+| Windows Components / Internet Explorer | Prevent managing SmartScreen Filter | On | Prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. |
+| Windows Components / Internet Explorer | Specify use of ActiveX Installer Service for installation of ActiveX controls | Enabled | This policy setting allows you to specify how ActiveX controls are installed. If you enable this policy setting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX controls. If you disable or do not configure this policy setting, ActiveX controls, including per-user controls, are installed through the standard installation process. |
+| Windows Components / Internet Explorer | Turn off the Security Settings Check feature | Disabled | This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk. If you enable this policy setting, the feature is turned off. If you disable or do not configure this policy setting, the feature is turned on. |
+| Windows Components / Internet Explorer / Internet Control Panel | Prevent ignoring certificate errors | Enabled | This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer. |
+| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Allow software to run or install even if the signature is invalid | Disabled | This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file. |
+| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Check for server certificate revocation | Enabled | Allows you to manage whether Internet Explorer will check revocation status of servers' certificates |
+| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Check for signatures on downloaded programs | Enabled | This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloading executable programs. |
+| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Turn off encryption support | Use TLS 1.1 and TLS 1.2 | This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each other’s list of supported protocols and versions, and they select the most preferred match. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page | Turn on certificate address mismatch warning | Enabled | This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Access data sources across domains | Disable | This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow cut copy or paste operations from the clipboard via script | Disable | This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow drag and drop or copy and paste files | Disable | This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow loading of XAML files | Disable | This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow only approved domains to use ActiveX controls without prompt | Enable | This policy setting controls whether the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow only approved domains to use the TDC ActiveX control | Enable | This policy setting controls whether the user can run the TDC ActiveX control on websites. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow scripting of Internet Explorer WebBrowser controls | Disable | This policy setting determines whether a page can control embedded WebBrowser controls via script. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow script-initiated windows without size or position constraints | Disable | This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow scriptlets | Disable | This policy setting allows you to manage whether the user can run scriptlets. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow updates to status bar via script | Disable | This policy setting allows you to manage whether script can update the status bar within the zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow VBScript to run in Internet Explorer | Disable | This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Automatic prompting for file downloads | Disable | This policy setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Don't run antimalware programs against ActiveX controls | Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Download unsigned ActiveX controls | Disable | This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Enable dragging of content from different domains across windows | Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Enable dragging of content from different domains within a window | Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Include local path when user is uploading files to a server | Disable | This policy setting controls whether local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Initialize and script ActiveX controls not marked as safe | Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Java permissions | Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Launching applications and files in an IFRAME | Disable | This policy setting allows you to manage whether applications may be run, and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Logon options | Prompt for user name and password | This policy setting allows you to manage settings for logon options. Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Navigate windows and frames across different domains | Disable | This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Run .NET Framework-reliant components not signed with Authenticode | Disable | This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Run .NET Framework-reliant components signed with Authenticode | Enabled: Disable | This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Show security warning for potentially unsafe files | Prompt | This policy setting controls whether the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on Cross-Site Scripting Filter | Enabled: Enable | Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on Protected Mode | Enable | Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on SmartScreen Filter scan | Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Use Pop-up Blocker | Enabled: Enable | Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Userdata persistence | Disable | This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Web sites in less privileged Web content zones can navigate into this zone | Disable | This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Initialize and script ActiveX controls not marked as safe | Enabled: Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Java permissions | Enabled: High Safety | Allows you to manage permissions for Java applets. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Local Machine Zone | Don't run antimalware programs against ActiveX controls | Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Local Machine Zone | Java permissions | Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-down Internet Zone | Turn on SmartScreen Filter scan | Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Intranet Zone | Java permissions | Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Local Machine Zone | Java permissions | Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Restricted Sites Zone | Java permissions | Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Restricted Sites Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Trusted Sites Zone | Java permissions | Disable Java | Allows you to configure policy settings according to the default for the selected security level, such Low, Medium, or High. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Access data sources across domains | Enabled: Disable | This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow active scripting | Disable | This policy setting allows you to manage whether script code on pages in the zone is run. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow binary and script behaviors | Disable | This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow cut copy or paste operations from the clipboard via script | Enabled: Disable | This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow drag and drop or copy and paste files | Disable | This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow file downloads | Disable | This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow loading of XAML files | Disable | This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow META REFRESH | Disable | This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow only approved domains to use ActiveX controls without prompt | Enable | This policy setting controls whether the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow only approved domains to use the TDC ActiveX control | Enable | This policy setting controls whether the user can run the TDC ActiveX control on websites. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow scripting of Internet Explorer WebBrowser controls | Disable | This policy setting determines whether a page can control embedded WebBrowser controls via script. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow script-initiated windows without size or position constraints | Enabled: Disable | This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow scriptlets | Disable | This policy setting allows you to manage whether the user can run scriptlets. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow updates to status bar via script | Disable | This policy setting allows you to manage whether script can update the status bar within the zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow VBScript to run in Internet Explorer | Disable | This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Automatic prompting for file downloads | Disable | This policy setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Don't run antimalware programs against ActiveX controls | Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Download signed ActiveX controls | Disable | This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Download unsigned ActiveX controls | Disable | This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Enable dragging of content from different domains across windows | Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Enable dragging of content from different domains within a window | Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Include local path when user is uploading files to a server | Disable | This policy setting controls whether local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Initialize and script ActiveX controls not marked as safe | Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Java permissions | Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Launching applications and files in an IFRAME | Disable | This policy setting allows you to manage whether applications may be run, and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Logon options | Anonymous logon | This policy setting allows you to manage settings for logon options. Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Navigate windows and frames across different domains | Enabled: Disable | This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Run .NET Framework-reliant components not signed with Authenticode | Disable | This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Run .NET Framework-reliant components signed with Authenticode | Enabled: Disable | This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Run ActiveX controls and plugins | Enabled: Disable | This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Script ActiveX controls marked safe for scripting | Disable | This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Scripting of Java applets | Disable | This policy setting allows you to manage whether applets are exposed to scripts within the zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Show security warning for potentially unsafe files | Disable | This policy setting controls whether the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). If you disable this policy setting, these files do not open. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on Cross-Site Scripting Filter | Enable | Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on Protected Mode | Enable | Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Use Pop-up Blocker | Enable | Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Userdata persistence | Disable | This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Web sites in less privileged Web content zones can navigate into this zone | Disable | This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Don't run antimalware programs against ActiveX controls | Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Initialize and script ActiveX controls not marked as safe | Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Java permissions | High Safety | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. High Safety enables applets to run in their sandbox. |
+| Windows Components / Internet Explorer / Security Features | Allow fallback to SSL 3.0 (Internet Explorer) | No sites | Allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails. |
+| Windows Components / Internet Explorer / Security Features / Add-on Management | Remove "Run this time" button for outdated ActiveX controls in Internet Explorer | Enabled | This policy setting allows you to stop users from seeing the "Run this time" button and from running specific outdated ActiveX controls in Internet Explorer. |
+| Windows Components / Internet Explorer / Security Features / Add-on Management | Turn off blocking of outdated ActiveX controls for Internet Explorer | Disabled | This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. |
+| Windows Components / Internet Explorer / Security Features / Consistent Mime Handling | Internet Explorer Processes | Enabled | Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server. This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension. If you enable this policy setting, Internet Explorer requires consistent MIME data for all received files. |
+| Windows Components / Internet Explorer / Security Features / Mime Sniffing Safety Feature | Internet Explorer Processes | Enabled | This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type. If you enable this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type. |
+| Windows Components / Internet Explorer / Security Features / MK Protocol Security Restriction | Internet Explorer Processes | Enabled | The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail. If you enable this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail. |
+| Windows Components / Internet Explorer / Security Features / Notification Bar | Internet Explorer Processes | Enabled | This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes. If you enable this policy setting, the Notification bar will be displayed for Internet Explorer Processes. |
+| Windows Components / Internet Explorer / Security Features / Protection from Zone Elevation | Internet Explorer Processes | Enabled | Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context. If you enable this policy setting, any zone can be protected from zone elevation by Internet Explorer processes. |
+| Windows Components / Internet Explorer / Security Features / Restrict ActiveX Install | Internet Explorer Processes | Enabled | This policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes. If you enable this policy setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes. |
+| Windows Components / Internet Explorer / Security Features / Restrict File Download | Internet Explorer Processes | Enabled | This policy setting enables blocking of file download prompts that are not user initiated. If you enable this policy setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes. |
+| Windows Components / Internet Explorer / Security Features / Scripted Window Security Restrictions | Internet Explorer Processes | Enabled | Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars. If you enable this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes. |
+| Windows Components / Microsoft Edge | Configure Windows Defender SmartScreen | Enabled | Configures whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, Windows Defender SmartScreen is turned on. If you enable this setting, Windows Defender SmartScreen is turned on and employees can't turn it off. If you disable this setting, Windows Defender SmartScreen is turned off and employees can't turn it on. If you don't configure this setting, employees can choose whether to use Windows Defender SmartScreen. |
+| Windows Components / Microsoft Edge | Prevent certificate error overrides | Enabled | Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. If enabled, overriding certificate errors are not allowed. If disabled or not configured, overriding certificate errors are allowed. |
+| Windows Components / Remote Desktop Services / Remote Desktop Connection Client | Do not allow passwords to be saved | Enabled | Controls whether passwords can be saved on this computer from Remote Desktop Connection. |
+| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Always prompt for password upon connection | Enabled | This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection. You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. |
+| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Require secure RPC communication | Enabled | Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. |
+| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Set client connection encryption level | High Level | Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. |
+| Windows Components / RSS Feeds | Prevent downloading of enclosures | Enabled | This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer. if you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs. If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs. |
+| Windows Components / Search | Allow indexing of encrypted files | Disabled | This policy setting allows encrypted items to be indexed. if you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply). If you disable this policy setting the search service components (including non-Microsoft components) are expected not to index encrypted items or encrypted stores. This policy setting is not configured by default. If you do not configure this policy setting the local setting configured through Control Panel will be used. By default, the Control Panel setting is set to not index encrypted content. When this setting is enabled or disabled the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. |
+| Windows Components / Windows Defender Antivirus / MAPS | Join Microsoft MAPS | Advanced MAPS | Allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. |
+| Windows Components / Windows Defender Antivirus | Turn off Windows Defender Antivirus | Disabled | Turns off Windows Defender Antivirus |
+| Windows Components / Windows Defender Antivirus / MAPS | Send file samples when further analysis is required | Enabled: Send safe samples | Configures behavior of samples submission when opt-in for MAPS telemetry is set |
+| Windows Components / Windows Defender Antivirus / Real-time Protection | Turn off real-time protection | Disabled | Turns off real-time protection prompts for known malware detection |
+| Windows Components / Windows Defender Antivirus / Real-time Protection | Turn on behavior monitoring | Enabled | Allows you to configure behavior monitoring. |
+| Windows Components / Windows Defender Antivirus / Scan | Scan removable drives | Enabled | Allows you to manage whether to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. |
+| Windows Components / Windows Defender Antivirus / Scan | Specify the interval to run quick scans per day | 24 | Allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). |
+| Windows Components / Windows Defender SmartScreen / Explorer | Configure Windows Defender SmartScreen | [[[main setting]]] = Enabled
Pick one of the following settings = Warn and prevent bypass | Turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options:
- Warn and prevent bypass
- Warn
If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs will not present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app. If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen will not warn the user again for that app if the user tells SmartScreen to run the app. If you disable this policy, SmartScreen will be turned off for all users. Users will not be warned if they try to run suspicious apps from the Internet. If you do not configure this policy, SmartScreen will be enabled by default, but users may change their settings. |
+| Windows Components / Windows Defender SmartScreen / Microsoft Edge | Configure Windows Defender SmartScreen | Enabled | Turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. If you enable this policy, SmartScreen will be turned on for all users. |
+| Windows Components / Windows Ink Workspace | Allow Windows Ink Workspace | On, but disallow access above lock | Allow Windows Ink Workspace |
+| Windows Components / Windows Installer | Allow user control over installs | Disabled | Permits users to change installation options that typically are available only to system administrators |
+| Windows Components / Windows Installer | Always install with elevated privileges | Disabled | Directs Windows Installer to use elevated permissions when it installs any program on the system |
+| Windows Components / Windows Logon Options | Sign-in last interactive user automatically after a system-initiated restart | Disabled | Controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system |
+| Windows Components / Windows PowerShell | Turn on PowerShell Script Block Logging | Enabled | This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. |
+| Windows Components / Windows Remote Management (WinRM) / WinRM Client | Allow Basic authentication | Disabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. |
+| Windows Components / Windows Remote Management (WinRM) / WinRM Client | Allow unencrypted traffic | Disabled | Manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network |
+| Windows Components / Windows Remote Management (WinRM) / WinRM Client | Disallow Digest authentication | Enabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authentication. |
+| Windows Components / Windows Remote Management (WinRM) / WinRM Service | Allow Basic authentication | Disabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. |
+| Windows Components / Windows Remote Management (WinRM) / WinRM Service | Allow unencrypted traffic | Disabled | Manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. |
+| Windows Components / Windows Remote Management (WinRM) / WinRM Service | Disallow WinRM from storing RunAs credentials | Enabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins. |
+
+
+## Controls
+
+The controls enabled in level 1 enforce a reasonable security level while minimizing the impact to users and applications.
+
+| Feature | Config | Description |
+|-----------------------------------|-------------------------------------|--------------------|
+| [Local Admin Password Solution (LAPS)](https://www.microsoft.com/download/details.aspx?id=46899) | Deployed to all devices | Generates a unique local admin password to devices, mitigating many lateral traversal attacks. |
+| [Windows Defender ATP EDR](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | Deployed to all devices | The Windows Defender ATP endpoint detection and response (EDR) provides actionable and near real-time detection of advanced attacks. EDR helps security analysts , and aggregates alerts with the same attack techniques or attributed to the same attacker into an entity called an *incident*. An incident helps analysts prioritize alerts, collectively investigate the full scope of a breach, and respond to threats. Windows Defender ATP EDR is not expected to impact users or applications, and it can be deployed to all devices in a single step. |
+| [Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard) | Enabled for all compatible hardware | Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. There is a small risk to application compatibility, as [applications will break](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements#application-requirements) if they require NTLMv1, Kerberos DES encryption, Kerberos unconstrained delegation, or extracting the Keberos TGT. As such, Microsoft recommends deploying Credential Guard using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). |
+| [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/) | Default browser | Microsoft Edge in Windows 10 provides better security than Internet Explorer 11 (IE11). While you may still need to leverage IE11 for compatibility with some sites, Microsoft recommends configuring Microsoft Edge as the default browser, and building an Enterprise Mode Site List to redirect to IE11 only for those sites that require it. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Enterprise Mode Site List, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). |
+| [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Enabled on compatible hardware | Windows Defender Application Guard uses a hardware isolation approach. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated container, which is separate from the host operating system and enabled by Hyper-V. If the untrusted site turns out to be malicious, the isolated container protects the host PC, and the attacker can't get to your enterprise data. There is a small risk to application compatibility, as some applications may require interaction with the host PC but may not yet be on the list of trusted web sites for Application Guard. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Network Isolation Settings, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). |
+| [Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard) | Configure and enforce Network Protection | Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It expands the scope of Windows Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). There is a risk to application compatibility, as a result of false positives in flagged sites. Microsoft recommends deploying using the Audit / Enforce Methodology. |
+
+
+## Behaviors
+
+The behaviors recommended in level 1 enforce a reasonable security level while minimizing the impact to users or to applications.
+
+| Feature | Config | Description |
+|---------|-------------------|-------------|
+| OS security updates | Deploy Windows Quality Updates within 7 days of release | As the time between the release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, a critical aspect of security hygiene is having an engineering process that quickly validates and deploys Quality Updates that address security vulnerabilities. |
+
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md
new file mode 100644
index 0000000000..3671675351
--- /dev/null
+++ b/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md
@@ -0,0 +1,130 @@
+---
+title: Level 2 enterprise enhanced security configuration
+description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 2 enterprise security configuration.
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.author: appcompatguy
+author: appcompatguy
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 05/29/2019
+---
+
+# Level 2 enterprise enhanced security configuration
+
+**Applies to**
+
+- Windows 10
+
+Level 2 is the security configuration recommended as a standard for devices where users access more sensitive information. These devices are a natural target in enterprises today. While targeting high levels of security, these recommendations do not assume a large staff of highly skilled security practitioners, and therefore should be accessible to most enterprise organizations.
+A level 2 configuration should include all the configurations from level 1 and add the following security policies, controls, and organizational behaviors.
+
+## Hardware
+
+Devices targeting level 2 should support all level 1 features, and add the following hardware features:
+
+- [Virtualization and HVCI Enabled](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-vbs)
+- [Drivers and Apps HVCI-Ready](https://docs.microsoft.com/windows-hardware/test/hlk/testref/driver-compatibility-with-device-guard)
+- [Windows Hello](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-biometric-requirements)
+- [DMA I/O Protection](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)
+
+## Policies
+
+The policies enforced in level 2 include all of the policies recommended for level 1 and adds the
+below policies to implement more controls and a more sophisticated security
+configuration than level 1. While they may have a slightly higher impact to
+users or to applications, they enforce a level of security more commensurate
+with the risks facing users with access to sensitive information. Microsoft
+recommends using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for these security configurations and
+controls, with a moderate timeline that is anticipated to be slightly longer
+than the process in level 1.
+
+### Security Template Policies
+
+| Feature | Policy Setting | Policy Value | Description |
+|---------|----------------|--------------|-------------|
+| Security Options | User Account Control: Behavior of the elevation prompt for standard users | Automatically deny elevation requests | This policy setting controls the behavior of the elevation prompt for standard users. Automatically deny elevation requests: When an operation requires elevation of privilege, an access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. |
+| User Rights Assignments | Deny access to this computer from the network | NT AUTHORITY\\Local Account | Determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. |
+| User Rights Assignments | Deny log on through Remote Desktop Services | NT AUTHORITY\\Local Account | Determines which users and groups are prohibited from logging on as a Remote Desktop Services client. |
+
+### Computer Policies
+
+| Feature | Policy Setting | Policy Value | Description |
+|---------|----------------|--------------|-------------|
+| Control Panel / Personalization | Prevent enabling lock screen camera | Enabled | Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. By default, users can enable invocation of an available camera on the lock screen. If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings and the camera cannot be invoked on the lock screen. |
+| Network / WLAN Service / WLAN Settings | Allow Windows to automatically connect to suggested open hotspots to networks shared by contacts and to hotspots offering paid services | Disabled | This policy setting determines whether users can enable the following WLAN settings: "Connect to suggested open hotspots," "Connect to networks shared by my contacts," and "Enable paid services". |
+| System / Device Guard | Turn on Virtualization Based Security | - [[[main setting]]] = Enabled
- Virtualization Based Protection of Code Integrity = Enabled with UEFI lock
- Credential Guard Configuration = Enabled with UEFI lock
- Select Platform Security Level = Secure Boot
- Secure Launch Configuration = Enabled
- Require UEFI Memory Attributes Table = False | Specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot and can optionally be enabled with the use of DMA Protections. DMA protections require hardware support and will only be enabled on correctly configured devices. |
+| System / Internet Communication Management / Internet Communication settings | Turn off downloading of print drivers over HTTP | Enabled | This policy setting specifies whether to allow this client to download print driver packages over HTTP. To set up HTTP printing non-inbox drivers need to be downloaded over HTTP. Note: This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally. if you enable this policy setting, print drivers cannot be downloaded over HTTP. If you disable or do not configure this policy setting, users can download print drivers over HTTP. |
+| System / Logon | Turn on convenience PIN sign-in | Disabled | This policy setting allows you to control whether a domain user can sign in using a convenience PIN. |
+| System / Remote Assistance | Configure Solicited Remote Assistance | - [[[main setting]]] = Disabled
- Maximum ticket time (value) = [[[delete]]]
- Maximum ticket time (units) = [[[delete]]]
- Method for sending email invitations = [[[delete]]]
- Permit remote control of this computer = [[[delete]]] | This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. |
+| Windows Components / App Privacy | Let Windows apps activate with voice while the system is locked | Force Deny | Specifies whether Windows apps can be activated by voice while the system is locked. If you choose the "User is in control" option, employees in your organization can decide whether users can interact with applications using speech while the system is locked by using Settings > Privacy on the device. If you choose the "Force Allow" option, users can interact with applications using speech while the system is locked and employees in your organization cannot change it. If you choose the "Force Deny" option, users cannot interact with applications using speech while the system is locked and employees in your organization cannot change it. If you disable or do not configure this policy setting, employees in your organization can decide whether users can interact with applications using speech while the system is locked by using Settings > Privacy on the device. This policy is applied to Windows apps and Cortana. It takes precedence of the Allow Cortana above lock policy. This policy is applicable only when Allow voice activation policy is configured to allow applications to be activated with voice. |
+| Windows Components / BitLocker Drive Encryption / Removable Data Drives | Deny write access to removable drives not protected by BitLocker | Enabled | This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. If the "Deny write access to devices configured in another organization" option is selected, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed, it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" policy setting. If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access. Note: This policy setting can be overridden by the policy settings under User Configuration\\Administrative Templates\\System\\Removable Storage Access. If the "Removable Disks: Deny write access" policy setting is enabled, this policy setting will be ignored. |
+| Windows Components / Internet Explorer | Prevent bypassing SmartScreen Filter warnings | Enabled | This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious. |
+| Windows Components / Internet Explorer | Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet | Enabled | This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet. |
+| Windows Components / Internet Explorer | Prevent per-user installation of ActiveX controls | Enabled | This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis. If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis. |
+| Windows Components / Internet Explorer | Security Zones: Do not allow users to add/delete sites | Enabled | Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level. If you enable this policy, the site management settings for security zones are disabled. |
+| Windows Components / Internet Explorer | Security Zones: Do not allow users to change policies | Enabled | Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level. If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled. |
+| Windows Components / Internet Explorer | Security Zones: Use only machine settings | Enabled | Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same security level. If you enable this policy, changes that the user makes to a security zone will apply to all users of that computer. |
+| Windows Components / Internet Explorer | Turn off Crash Detection | Enabled | This policy setting allows you to manage the crash detection feature of add-on Management. If you enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, namely, to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Download signed ActiveX controls | Disable | This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone. |
+| Windows Components / Microsoft Edge | Prevent bypassing Windows Defender SmartScreen prompts for files | Enabled | This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files. If you enable this setting, employees can't ignore Windows Defender SmartScreen warnings and they are blocked from downloading the unverified files. If you disable or don't configure this setting, employees can ignore Windows Defender SmartScreen warnings and continue the download process. |
+| Windows Components / Windows Defender SmartScreen / Microsoft Edge | Prevent bypassing Windows Defender SmartScreen prompts for sites | Enabled | Lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites |
+| Windows Components / Remote Desktop Services / Remote Desktop | Do not allow drive redirection | Enabled | This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format \ on \. You can use this policy setting to override this behavior. if you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions and Clipboard file copy redirection is not allowed on computers running Windows Server 2003 Windows 8 and Windows XP. If you disable this policy setting client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed. If you do not configure this policy setting client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level. |
+| Windows Components / Windows Defender Antivirus | Configure detection for potentially unwanted applications | Enabled: Audit | Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. |
+| Windows Components / Windows Game Recording and Broadcasting | Enables or disables Windows Game Recording and Broadcasting | Disabled | This setting enables or disables the Windows Game Recording and Broadcasting features. If you disable this setting, Windows Game Recording will not be allowed. |
+
+### User Policies
+
+| Feature | Policy Setting | Policy Value | Description |
+|---------|----------------|--------------|-------------|
+| Start Menu and Taskbar / Notifications | Turn off toast notifications on the lock screen | Enabled | Turns off toast notifications on the lock screen. |
+| Windows Components / Cloud Content | Do not suggest third-party content in the Windows spotlight | Enabled | Windows spotlight features like lock screen spotlight, suggested apps in Start menu or Windows tips will no longer suggest apps and content from third-party software publishers |
+
+### Services
+
+Microsoft recommends disabling the following services when their use is not required for a user to perform their work.
+
+| Type | Name | Description |
+|------|------|-------------|
+| Scheduled Task | XblGameSaveTask | Syncs save data for Xbox Live save-enabled games |
+| Services | Xbox Accessory Management Service | Manages connected Xbox accessories |
+| Services | Xbox Game Monitoring | Monitors Xbox games currently being played |
+| Services | Xbox Live Auth Manager | Provides authentication and authorization services for interactive with Xbox Live |
+| Services | Xbox Live Game Save | Syncs save data for Xbox live save enabled games |
+| Services | Xbox Live Networking Service | Supports the Windows.Networking.XboxLive API |
+
+## Controls
+
+The controls enforced in level 2 implement more controls and a more sophisticated security
+configuration than level 1. While they may have a slightly higher impact to
+users or to applications, they enforce a level of security more commensurate
+with the risks facing users with access to sensitive information. Microsoft
+recommends using the Audit/Enforce methodology for controls with an Audit mode,
+and [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for those that do not, with a moderate timeline that
+is anticipated to be slightly longer than the process in level 1.
+
+| Feature Set | Feature | Description |
+|-------------------------------------------------------------|-------------------------------------------------------|----------------|
+| [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification) | Configure and enforce Windows Hello for Business | In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. Windows Hello addresses the following problems with passwords:
- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
- Server breaches can expose symmetric network credentials (passwords).
- Passwords are subject to replay attacks.
- Users can inadvertently expose their passwords due to phishing attacks. |
+| [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/) | Configure and enforce Conditional Access rules based on
- Application Risk
- Session Risk | With conditional access, you can implement automated access control decisions for accessing your cloud apps that are based on conditions. Conditional access policies are enforced after the first-factor authentication has been completed. Therefore, conditional access is not intended as a first line defense for scenarios like denial-of-service (DoS) attacks, but can utilize signals from these events (e.g. the sign-in risk level, location of the request, and so on) to determine access. |
+| [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) | Enforce memory protection for OS-level controls:
- Control flow guard (CFG)
- Data Execution Protection (DEP)
- Mandatory ASLR
- Bottom-Up ASLR
- High-entropy ASLR
- Validate Exception Chains (SEHOP)
- Validate heap integrity | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at either the operating system level, or at the individual app level. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. dynamically generating code without marking memory as executable). Microsoft recommends gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). |
+| [Attack Surface Reduction (ASR)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)| Configure and enforce [Attack Surface Reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules)| Attack surface reduction controls help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. an Office application spawning a child process). Each control has an Audit mode, and as such, Microsoft recommends the Audit / Enforce Methodology (repeated here):
1) Audit – enable the controls in audit mode, and gather audit data in a centralized location
2) Review – review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure
3) Enforce – Deploy the configuration of any exemptions and convert the control to enforce mode |
+| [Controlled Folder Access (CFA)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard) | Configure and audit [Controlled Folder Access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard) | Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. Controlled folder access works best with Microsoft Defender Advanced Threat Protection, which gives you detailed reporting into controlled folder access events and blocks as part of the usual alert investigation scenarios.
All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
Microsoft recommends the Audit / Enforce Methodology (repeated here):
1) Audit – enable the controls in audit mode, and gather audit data in a centralized location
2) Review – review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure
3) Enforce – Deploy the configuration of any exemptions and convert the control to enforce mode
+
+## Behaviors
+
+The behaviors recommended in level 2 implement a more sophisticated security process. While they may require a more sophisticated organization, they enforce
+a level of security more commensurate with the risks facing users with access to
+sensitive information.
+
+| Feature Set| Feature | Description |
+|------------|----------|--------------|
+| Antivirus | Configure Protection Updates to failover to retrieval from Microsoft | Sources for Windows Defender Antivirus Protection Updates can be provided in an ordered list. If you are using internal distribution, such as SCCM or WSUS, configure Microsoft Update lower in the list as a failover. |
+| OS Security Updates | Deploy Windows Quality Updates within 4 days | As the time between release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, engineering a process that provides the ability to validate and deploy quality updates addressing known security vulnerabilities is a critical aspect of security hygiene.|
+| Helpdesk| 1:1 Administration| A simple and common model for helpdesk support is to add the Helpdesk group as a permanent member of the Local Administrators group of every device. If any device is compromised and helpdesk can connect to it, then these credentials can be used to obtain privilege on any / all other devices. Design and implement a strategy to provide helpdesk support without providing 1:all admin access – constraining the value of these Helpdesk credentials |
+
+
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-VIP-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-VIP-security.md
deleted file mode 100644
index 7f0491ae05..0000000000
--- a/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-VIP-security.md
+++ /dev/null
@@ -1,142 +0,0 @@
----
-title: Level 3 enterprise VIP security configuration
-description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 3 enterprise VIP security configuration.
-keywords: virtualization, security, malware
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 04/05/2018
-ms.reviewer:
----
-
-# Level 3 enterprise VIP security configuration
-
-**Applies to**
-
-- Windows 10
-
-Level 3 is the security configuration recommended as a standard for organizations with large and sophisticated security organizations, or for specific users and groups who will be uniquely targeted by adversaries. Such organizations are typically targeted by well-funded and sophisticated adversaries, and as such merit the additional constraints and controls described here.
-A level 3 configuration should include all the configurations from level 5 and level 4 and add the following security policies, controls, and organizational behaviors.
-
-## Policies
-
-The policies enforced in level 3 implement strict security configuration and controls. They can have a potentially significant impact to users or to applications, enforcing a level of security commensurate with the risks facing targeted organizations. Microsoft recommends disciplined testing and deployment using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates).
-
-### Security Template Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|----------|-----------------|---------------|--------------|
-| [Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/) | Account lockout duration | 15 | The number of minutes a locked-out account remains locked out before automatically becoming unlocked. |
-| [Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/) | Account lockout threshold | 10 | The number of failed logon attempts that causes a user account to be locked out. |
-| [Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/) | Reset account lockout counter after | 15 | The number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. |
-| Password Policy | Maximum password age | 60 | The number of days that a password can be used before the system requires the user to change it. |
-| Password Policy | Minimum password age | 1 | The number of days that a password must be used before a user can change it. |
-| Security Options | Accounts: Administrator account status | Disabled | This security setting determines whether the local Administrator account is enabled or disabled. |
-| Security Options | Accounts: Limit local account use of blank passwords to console logon only | Enabled | This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. |
-| Security Options | Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings | Enabled | Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. Group Policy only allows audit policy to be set at the category level, and existing Group Policy may override the subcategory settings of new machines as they are joined to the domain or upgraded. To allow audit policy to be managed using subcategories without requiring a change to Group Policy, there is a new registry value in Windows Vista and later versions, SCENoApplyLegacyAuditPolicy, which prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool. |
-| Security Options | Domain member: Digitally encrypt or sign secure channel data (always) | Enabled | This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. This setting determines whether all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:
- Domain member: Digitally encrypt secure channel data (when possible)
- Domain member: Digitally sign secure channel data (when possible) |
-| Security Options | Domain member: Digitally encrypt secure channel data (when possible) | Enabled | This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise, only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption. |
-| Security Options | Domain member: Digitally sign secure channel data (when possible) | Enabled | This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed, which ensures that it cannot be tampered with in transit. |
-| Security Options | Interactive logon: Smart card removal behavior | Lock Workstation | This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. If you click **Lock Workstation** in the **Properties** for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart cards with them, and still maintain protected sessions. For this setting to work beginning with Windows Vista, the Smart Card Removal Policy service must be started. |
-| Security Options | Microsoft network client: Digitally sign communications (always) | Enabled | This security setting determines whether packet signing is required by the SMB client component. |
-| Security Options | Microsoft network server: Digitally sign communications (always) | Enabled | This security setting determines whether packet signing is required by the SMB server component. |
-| Security Options | Network access: Do not allow anonymous enumeration of SAM accounts | Enabled | This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. This security option allows additional restrictions to be placed on anonymous connections as follows: Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. |
-| Security Options | Network access: Do not allow anonymous enumeration of SAM accounts and shares | Enabled | This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy. |
-| Security Options | Network access: Restrict anonymous access to Named Pipes and Shares | Enabled | When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:
- Network access: Named pipes that can be accessed anonymously
- Network access: Shares that can be accessed anonymously |
-| Security Options | Network security: Allow PKU2U authentication requests to this computer to use online identities. | Disabled | This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine. |
-| Security Options | Network security: LDAP client signing requirements | Negotiate signing | This security setting determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests, as follows: Negotiate signing: If Transport Layer Security/Secure Sockets Layer (TLS\\SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the options specified by the caller. If TLS\\SSL has been started, the LDAP BIND request is initiated with the options that are specified by the caller. |
-| Security Options | System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) | Enabled | This security setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. If this policy is enabled, the default DACL is stronger, allowing users who are not administrators to read shared objects but not allowing these users to modify shared objects that they did not create. |
-| Security Options | User Account Control: Behavior of the elevation prompt for standard users | Automatically deny elevation requests | This policy setting controls the behavior of the elevation prompt for standard users. Automatically deny elevation requests: When an operation requires elevation of privilege, an access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. |
-
-### Computer Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|----------|-----------------|---------------|--------------|
-| Control Panel / Personalization | Prevent enabling lock screen camera | Enabled | Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. By default, users can enable invocation of an available camera on the lock screen. If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings and the camera cannot be invoked on the lock screen. |
-| Control Panel / Personalization | Prevent enabling lock screen slide show | Enabled | Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. By default, users can enable a slide show that will run after they lock the machine. if you enable this setting, users will no longer be able to modify slide show settings in PC Settings and no slide show will ever start. |
-| Windows Defender SmartScreen / Explorer | Configure App Install Control | Allow apps from Store only | App Install Control is a feature of Windows Defender SmartScreen that helps protect PCs by allowing users to install apps only from the Store. SmartScreen must be enabled for this feature to work properly. |
-| System / Device Installation / Device Installation Restrictions | Prevent installation of devices that match any of these device IDs | Enabled | This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. if you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in a list that you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. |
-| System / Device Installation / Device Installation Restrictions | Prevent installation of devices using drivers that match these device setup classes | Enabled | This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. if you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. |
-| System / Internet Communication Management / Internet Communication settings | Turn off downloading of print drivers over HTTP | Enabled | This policy setting specifies whether to allow this client to download print driver packages over HTTP. To set up HTTP printing non-inbox drivers need to be downloaded over HTTP. Note: This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally. if you enable this policy setting, print drivers cannot be downloaded over HTTP. If you disable or do not configure this policy setting, users can download print drivers over HTTP. |
-| System / Internet Communication Management / Internet Communication settings | Turn off printing over HTTP | Enabled | This policy setting specifies whether to allow printing over HTTP from this client. Printing over HTTP allows a client to print to printers on the intranet as well as the Internet. Note: This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP. if you enable this policy setting, it prevents this client from printing to Internet printers over HTTP. If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP. Also see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers. |
-| System / Logon | Enumerate local users on domain-joined computers | Disabled | This policy setting allows local users to be enumerated on domain-joined computers. if you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers. |
-| System / Power Management / Sleep Settings | Allow standby states (S1-S3) when sleeping (on battery) | Disabled | This policy setting manages whether Windows can use standby states when putting the computer in a sleep state. If you enable or do not configure this policy setting Windows uses standby states to put the computer in a sleep state. If you disable this policy setting standby states (S1-S3) are not allowed. |
-| System / Power Management / Sleep Settings | Allow standby states (S1-S3) when sleeping (plugged in) | Disabled | This policy setting manages whether Windows can use standby states when putting the computer in a sleep state. If you enable or do not configure this policy setting Windows uses standby states to put the computer in a sleep state. If you disable this policy setting standby states (S1-S3) are not allowed. |
-| Windows Components / BitLocker Drive Encryption / Operating System Drives | Configure minimum PIN length for startup | Enabled: 7 | This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. if you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN. If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 4 and 20 digits. By default, the value is 6 digits. NOTE: If minimum PIN length is set below 6 digits Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. |
-| Windows Components / BitLocker Drive Encryption / Removable Data Drives | Deny write access to removable drives not protected by BitLocker | Enabled | This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. If the "Deny write access to devices configured in another organization" option is selected, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed, it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" policy setting. If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access. Note: This policy setting can be overridden by the policy settings under User Configuration\\Administrative Templates\\System\\Removable Storage Access. If the "Removable Disks: Deny write access" policy setting is enabled, this policy setting will be ignored. |
-| Windows Components / Cloud Content | Turn off Microsoft consumer experiences | Enabled | This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account. if you enable this policy setting, users will no longer see personalized recommendations from Microsoft and notifications about their Microsoft account. If you disable or do not configure this policy setting, users may see suggestions from Microsoft and notifications about their Microsoft account. Note: This setting only applies to Enterprise and Education SKUs. |
-| Windows Components / Credential User Interface | Enumerate administrator accounts on elevation | Disabled | This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application. if you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password. If you disable this policy setting users will always be required to type a user name and password to elevate. |
-| Windows Components / Microsoft Edge | Configure Password Manager | Disabled | This policy setting lets you decide whether employees can save their passwords locally using Password Manager. By default, Password Manager is turned on. if you enable this setting, employees can use Password Manager to save their passwords locally. If you disable this setting employees can't use Password Manager to save their passwords locally. If you don't configure this setting employees can choose whether to use Password Manager to save their passwords locally. |
-| Windows Components / Remote Desktop Services / Remote Desktop | Do not allow drive redirection | Enabled | This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format \ on \. You can use this policy setting to override this behavior. if you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions and Clipboard file copy redirection is not allowed on computers running Windows Server 2003 Windows 8 and Windows XP. If you disable this policy setting client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed. If you do not configure this policy setting client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level. |
-| Windows Components / RSS Feeds | Prevent downloading of enclosures | Enabled | This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer. if you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs. If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs. |
-| Windows Components / Search | Allow indexing of encrypted files | Disabled | This policy setting allows encrypted items to be indexed. if you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply). If you disable this policy setting the search service components (including non-Microsoft components) are expected not to index encrypted items or encrypted stores. This policy setting is not configured by default. If you do not configure this policy setting the local setting configured through Control Panel will be used. By default, the Control Panel setting is set to not index encrypted content. When this setting is enabled or disabled the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. |
-| Windows Components / Windows Ink Workspace | Allow Windows Ink Workspace | On, but disallow access above lock | Allow Windows Ink Workspace |
-
-### IE Computer Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|-------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Windows Components / Internet Explorer | Prevent per-user installation of ActiveX controls | Enabled | This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis. If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis. |
-| Windows Components / Internet Explorer | Security Zones: Do not allow users to add/delete sites | Enabled | Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level. If you enable this policy, the site management settings for security zones are disabled. |
-| Windows Components / Internet Explorer | Security Zones: Do not allow users to change policies | Enabled | Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level. If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled. |
-| Windows Components / Internet Explorer | Security Zones: Use only machine settings | Enabled | Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same security level. If you enable this policy, changes that the user makes to a security zone will apply to all users of that computer. |
-| Windows Components / Internet Explorer | Turn off Crash Detection | Enabled | This policy setting allows you to manage the crash detection feature of add-on Management. If you enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, namely, to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply. |
-| Windows Components / Internet Explorer | Turn off the Security Settings Check feature | Disabled | This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk. |
-| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled | Enabled | This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled. When a user has an ActiveX control installed that is not compatible with Enhanced Protected Mode and a website attempts to load the control, Internet Explorer notifies the user and gives the option to run the website in regular Protected Mode. This policy setting disables this notification and forces all websites to run in Enhanced Protected Mode. |
-| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows | Enabled | This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows. |
-| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Turn on Enhanced Protected Mode | Enabled | Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page | Intranet Sites: Include all network paths (UNCs) | Disabled | This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow drag and drop or copy and paste files | Enabled: Disable | This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow loading of XAML files | Enabled: Disable | This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow only approved domains to use ActiveX controls without prompt | Enabled: Enable | This policy setting controls whether the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow only approved domains to use the TDC ActiveX control | Enabled: Enable | This policy setting controls whether the user can run the TDC ActiveX control on websites. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow scripting of Internet Explorer WebBrowser controls | Enabled: Disable | This policy setting determines whether a page can control embedded WebBrowser controls via script. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow script-initiated windows without size or position constraints | Enabled: Disable | This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow scriptlets | Enabled: Disable | This policy setting allows you to manage whether the user can run scriptlets. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow updates to status bar via script | Enabled: Disable | This policy setting allows you to manage whether script can update the status bar within the zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow VBScript to run in Internet Explorer | Enabled: Disable | This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Download signed ActiveX controls | Enabled: Disable | This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Include local path when user is uploading files to a server | Enabled: Disable | This policy setting controls whether local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Navigate windows and frames across different domains | Enabled: Disable | This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Web sites in less privileged Web content zones can navigate into this zone | Enabled: Disable | This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. |
-
-### IE User Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|----------|-----------------|--------------|--------------|
-| Windows Components / Internet Explorer | Turn on the auto-complete feature for user names and passwords on forms | Disabled | This AutoComplete feature can remember and suggest User names and passwords on Forms. If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords. |
-
-## Controls
-
-The controls enforced in level 3 implement complex security configuration and controls.
-They are likely to have a higher impact to users or to applications,
-enforcing a level of security commensurate with the risks facing the most targeted organizations.
-Microsoft recommends using the Audit/Enforce methodology for controls with audit mode, and [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for those that do
-not.
-
-| Feature Set | Feature | Description |
-|--------------|----------|--------------|
-| Exploit protection | Enable exploit protection | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at the individual app level. |
-| Windows Defender Application Control (WDAC) *or* AppLocker | Configure devices to use application whitelisting using one of the following approaches:
[AaronLocker](https://blogs.msdn.microsoft.com/aaron_margosis/2018/10/11/aaronlocker-update-v0-91-and-see-aaronlocker-in-action-on-channel-9/) (admin writeable areas) when software distribution is not always centralized
*or*
[Managed installer](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer) when all software is pushed through software distribution
*or*
[Explicit control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy) when the software on a device is static and tightly controlled | Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. Application Control can help mitigate these types of security threats by restricting the applications that users can run and the code that runs in the System Core (kernel). WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs in [Constrained Language Mode](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/). |
-
-## Behaviors
-
-The behaviors recommended in level 3 represent the most sophisticated security
-configuration. Removing admin rights can be difficult, but it is essential to
-achieve a level of security commensurate with the risks facing the most targeted
-organizations.
-
-| Feature Set | Feature | Description |
-|--------------|----------|--------------|
-| Remove Admin Rights | Remove as many users as possible from the local Administrators group, targeting 0. Microsoft recommends removing admin rights role by role. Some roles are more challenging, including:
- Developers, who often install rapidly iterating software which is difficult to package using current software distribution systems
- Scientists/ Doctors, who often must install and operate specialized hardware devices
- Remote locations with slow web links, where administration is delegated
It is typically easier to address these roles later in the process.
Microsoft recommends identifying the dependencies on admin rights and systematically addressing them:
- Legitimate use of admin rights: crowdsourced admin, where a new process is needed to complete that workflow
- Illegitimate use of admin rights: app compat dependency, where app remediation is the best path. The [Desktop App Assure](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-is-Desktop-App-Assure/ba-p/270232) program can assist with these app issues | Running as non-admin limits your exposure. When you are an admin, every program you run has unlimited access to your computer. If malicious code finds its way to one of those programs, it also gains unlimited access. When an exploit runs with admin privileges, its ability to compromise your system is much greater, its ability to do so without detection is much greater, and its ability to attack others on your network is greater than it would be with only User privileges. If you’re running as admin, an exploit can:
- install kernel-mode rootkits and/or keyloggers
- install and start services
- install ActiveX controls, including IE and shell add-ins
- access data belonging to other users
- cause code to run whenever anybody else logs on (including capturing passwords entered into the Ctrl-Alt-Del logon dialog)
- replace OS and other program files with trojan horses
- disable/uninstall anti-virus
- cover its tracks in the event log
- render your machine unbootable |
-
-
-
-
-
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md
new file mode 100644
index 0000000000..d1673ce03b
--- /dev/null
+++ b/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md
@@ -0,0 +1,88 @@
+---
+title: Level 3 enterprise high security configuration
+description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 3 enterprise VIP security configuration.
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.author: appcompatguy
+author: appcompatguy
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 05/29/2019
+---
+
+# Level 3 enterprise high security configuration
+
+**Applies to**
+
+- Windows 10
+
+Level 3 is the security configuration recommended as a standard for organizations with large and sophisticated security organizations, or for specific users and groups who will be uniquely targeted by adversaries. Such organizations are typically targeted by well-funded and sophisticated adversaries, and as such merit the additional constraints and controls described here.
+A level 3 configuration should include all the configurations from level 2 and level 1 and add the following security policies, controls, and organizational behaviors.
+
+## Hardware
+
+Devices targeting Level 3 should support all Level 2 and Level 1 features, and add the following hardware features:
+
+- [System Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows)
+- [Modern Standby](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby)
+
+## Policies
+
+The policies enforced in level 3 include all of the policies recommended for levels 2 and 1, and adds the below policies to
+implement strict security configuration and controls. They can have a potentially significant impact to users or to applications, enforcing
+a level of security commensurate with the risks facing targeted organizations. Microsoft recommends disciplined testing and deployment using
+[the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates).
+
+### Computer Policies
+
+| Feature | Policy Setting | Policy Value | Description |
+|----------|-----------------|---------------|--------------|
+| Control Panel / Personalization | Prevent enabling lock screen slide show | Enabled | Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. By default, users can enable a slide show that will run after they lock the machine. if you enable this setting, users will no longer be able to modify slide show settings in PC Settings and no slide show will ever start. |
+| System / Logon | Enumerate local users on domain-joined computers | Disabled | This policy setting allows local users to be enumerated on domain-joined computers. if you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers. |
+| System / Power Management / Sleep Settings | Allow standby states (S1-S3) when sleeping (on battery) | Disabled | This policy setting manages whether Windows can use standby states when putting the computer in a sleep state. If you enable or do not configure this policy setting Windows uses standby states to put the computer in a sleep state. If you disable this policy setting standby states (S1-S3) are not allowed. |
+| System / Power Management / Sleep Settings | Allow standby states (S1-S3) when sleeping (plugged in) | Disabled | This policy setting manages whether Windows can use standby states when putting the computer in a sleep state. If you enable or do not configure this policy setting Windows uses standby states to put the computer in a sleep state. If you disable this policy setting standby states (S1-S3) are not allowed. |
+| Windows Components / Cloud Content | Turn off Microsoft consumer experiences | Enabled | This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account. if you enable this policy setting, users will no longer see personalized recommendations from Microsoft and notifications about their Microsoft account. If you disable or do not configure this policy setting, users may see suggestions from Microsoft and notifications about their Microsoft account. Note: This setting only applies to Enterprise and Education SKUs. |
+| Windows Components / Credential User Interface | Enumerate administrator accounts on elevation | Disabled | This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application. if you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password. If you disable this policy setting users will always be required to type a user name and password to elevate. |
+| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled | Enabled | This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled. When a user has an ActiveX control installed that is not compatible with Enhanced Protected Mode and a website attempts to load the control, Internet Explorer notifies the user and gives the option to run the website in regular Protected Mode. This policy setting disables this notification and forces all websites to run in Enhanced Protected Mode. |
+| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows | Enabled | This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows. |
+| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Turn on Enhanced Protected Mode | Enabled | Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page | Intranet Sites: Include all network paths (UNCs) | Disabled | This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone. |
+| Windows Components / Microsoft Edge | Configure Password Manager | Disabled | This policy setting lets you decide whether employees can save their passwords locally using Password Manager. By default, Password Manager is turned on. if you enable this setting, employees can use Password Manager to save their passwords locally. If you disable this setting employees can't use Password Manager to save their passwords locally. If you don't configure this setting employees can choose whether to use Password Manager to save their passwords locally. |
+
+### User Policies
+| Feature | Policy Setting | Policy Value | Description |
+|----------|-----------------|---------------|--------------|
+| Windows Components / Internet Explorer | Turn on the auto-complete feature for user names and passwords on forms | Disabled | This AutoComplete feature can remember and suggest User names and passwords on Forms. If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords". If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords. If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button. |
+
+## Controls
+
+The controls enforced in level 3 implement complex security configuration and controls.
+They are likely to have a higher impact to users or to applications,
+enforcing a level of security commensurate with the risks facing the most targeted organizations.
+Microsoft recommends using the Audit/Enforce methodology for controls with audit mode, and [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for those that do
+not.
+
+| Feature Set | Feature | Description |
+|--------------|----------|--------------|
+| Exploit protection | Enable exploit protection | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at the individual app level. |
+| Windows Defender Application Control (WDAC) *or* AppLocker | Configure devices to use application whitelisting using one of the following approaches:
[AaronLocker](https://blogs.msdn.microsoft.com/aaron_margosis/2018/10/11/aaronlocker-update-v0-91-and-see-aaronlocker-in-action-on-channel-9/) (admin writeable areas) when software distribution is not always centralized
*or*
[Managed installer](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer) when all software is pushed through software distribution
*or*
[Explicit control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy) when the software on a device is static and tightly controlled | Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. Application Control can help mitigate these types of security threats by restricting the applications that users can run and the code that runs in the System Core (kernel). WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs in [Constrained Language Mode](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/). |
+
+## Behaviors
+
+The behaviors recommended in level 3 represent the most sophisticated security
+configuration. Removing admin rights can be difficult, but it is essential to
+achieve a level of security commensurate with the risks facing the most targeted
+organizations.
+
+| Feature Set | Feature | Description |
+|--------------|----------|--------------|
+| Remove Admin Rights | Remove as many users as possible from the local Administrators group, targeting 0. Microsoft recommends removing admin rights role by role. Some roles are more challenging, including:
- Developers, who often install rapidly iterating software which is difficult to package using current software distribution systems
- Scientists/ Doctors, who often must install and operate specialized hardware devices
- Remote locations with slow web links, where administration is delegated
It is typically easier to address these roles later in the process.
Microsoft recommends identifying the dependencies on admin rights and systematically addressing them:
- Legitimate use of admin rights: crowdsourced admin, where a new process is needed to complete that workflow
- Illegitimate use of admin rights: app compat dependency, where app remediation is the best path. The [Desktop App Assure](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-is-Desktop-App-Assure/ba-p/270232) program can assist with these app issues | Running as non-admin limits your exposure. When you are an admin, every program you run has unlimited access to your computer. If malicious code finds its way to one of those programs, it also gains unlimited access. When an exploit runs with admin privileges, its ability to compromise your system is much greater, its ability to do so without detection is much greater, and its ability to attack others on your network is greater than it would be with only User privileges. If you’re running as admin, an exploit can:
- install kernel-mode rootkits and/or keyloggers
- install and start services
- install ActiveX controls, including IE and shell add-ins
- access data belonging to other users
- cause code to run whenever anybody else logs on (including capturing passwords entered into the Ctrl-Alt-Del logon dialog)
- replace OS and other program files with trojan horses
- disable/uninstall anti-virus
- cover its tracks in the event log
- render your machine unbootable |
+
+
+
+
+
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-devops-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-devops-security.md
similarity index 58%
rename from windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-devops-security.md
rename to windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-devops-security.md
index 6f5f29c049..fbcf933ccc 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-devops-security.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-devops-security.md
@@ -1,6 +1,6 @@
---
-title: Level 2 enterprise dev/ops security workstation configuration
-description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 2 enterprise dev/ops security configuration.
+title: Level 4 enterprise dev/ops security workstation configuration
+description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 4 enterprise dev/ops security configuration.
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
@@ -11,17 +11,17 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/05/2018
+ms.date: 06/11/2019
ms.reviewer:
---
-# Level 2 enterprise dev/ops workstation security configuration
+# Level 4 enterprise dev/ops workstation security configuration
**Applies to**
- Windows 10
-We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. A level 2 configuration should include all the configurations from levels 5, 4, and 3 and additional controls. We are planning recommendations for the additional controls now, so check back soon for level 2 enterprise dev/ops security configuration guidance!
+We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. A level 4 configuration should include all the configurations from levels 3, 2, and 1 and additional controls. We are planning recommendations for the additional controls now, so check back soon for level 4 enterprise dev/ops security configuration guidance!
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md
deleted file mode 100644
index 198b148cd0..0000000000
--- a/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md
+++ /dev/null
@@ -1,210 +0,0 @@
----
-title: Level 4 enterprise high security configuration
-description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 4 enterprise security configuration.
-keywords: virtualization, security, malware
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 04/05/2018
-ms.reviewer:
----
-
-# Level 4 enterprise high security configuration
-
-**Applies to**
-
-- Windows 10
-
-Level 4 is the security configuration recommended as a standard for devices where users access more sensitive information. These devices are a natural target in enterprises today. While targeting high levels of security, these recommendations do not assume a large staff of highly skilled security practitioners, and therefore should be accessible to most enterprise organizations.
-A level 4 configuration should include all the configurations from level 5 and add the following security policies, controls, and organizational behaviors.
-
-## Policies
-
-The policies enforced in level 4 implement more controls and a more sophisticated security
-configuration than level 5. While they may have a slightly higher impact to
-users or to applications, they enforce a level of security more commensurate
-with the risks facing users with access to sensitive information. Microsoft
-recommends using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for these security configurations and
-controls, with a moderate timeline that is anticipated to be slightly longer
-than the process in level 5.
-
-### Security Template Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|------------------------|-------------------------------------------------------------------------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Security Options | Microsoft network client: Send unencrypted password to third party | Disabled | If this security setting is enabled, the Server Message Block (SMB) redirector can send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. Sending unencrypted passwords is a security risk. |
-| Security Options | Network access: Allow anonymous SID/Name translation | Disabled | This security setting determines if an anonymous user can request security identifier (SID) attributes for another user. If this policy is enabled, a user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. |
-| Security Options | Network access: Restrict clients allowed to make remote calls to SAM | Enabled: Administrators (allowed) | This policy setting allows you to restrict remote RPC connections to SAM. If not selected, the default security descriptor will be used. |
-| Security Options | Network security: Allow LocalSystem NULL session fallback | Disabled | Allow NTLM to fall back to NULL session when used with LocalSystem |
-| Security Options | Network security: Do not store LAN Manager hash value on next password change | Enabled | This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. |
-| Security Options | Network security: LAN Manager authentication level | Send NTLMv2 response only. Refuse LM & NTLM | This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: Send NTLMv2 response only\\refuse LM & NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). |
-| Security Options | Network security: Minimum session security for NTLM SSP based (including secure RPC) clients | Require NTLMv2 session security and Require 128-bit encryption | This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. |
-| Security Options | Network security: Minimum session security for NTLM SSP based (including secure RPC) servers | Require NTLMv2 session security and Require 128-bit encryption | This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. |
-| Security Options | User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled | This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - …\\Program Files\\, including subfolders - …\\Windows\\system32\\ - …\\Program Files (x86)\\, including subfolders for 64-bit versions of Windows |
-| User Rights Assignment | Access this computer from the network | Administrators; Remote Desktop Users | This user right determines which users and groups can connect to the computer over the network. Remote Desktop Services are not affected by this user right. |
-| User Rights Assignment | Enable computer and user accounts to be trusted for delegation | No One (blank) | This security setting determines which users can set the Trusted for Delegation setting on a user or computer object. |
-| User Rights Assignment | Impersonate a client after authentication | Administrators, SERVICE, Local Service, Network Service | Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. |
-| User Rights Assignment | Lock pages in memory | No One (blank) | This security setting determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random-access memory (RAM). |
-| User Rights Assignment | Perform volume maintenance tasks | Administrators | This security setting determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. |
-| User Rights Assignment | Profile single process | Administrators | This security setting determines which users can use performance monitoring tools to monitor the performance of non-system processes. |
-
-### Computer Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|---------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Network / Network Connections | Prohibit use of Internet Connection Sharing on your DNS domain network | Enabled | Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. |
-| Network / Network Provider | Hardened UNC Paths | Enabled: \\\\\*\\SYSVOL and \\\\\*\\NETLOGON RequireMutualAuthentication = 1, RequireIntegrity = 1 | This policy setting configures secure access to UNC paths. If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. |
-| Network / Windows Connection Manager | Prohibit connection to non-domain networks when connected to domain authenticated network | Enabled | This policy setting prevents computers from connecting to both a domain-based network and a non-domain-based network at the same time. |
-| Network / WLAN Service / WLAN Settings | Allow Windows to automatically connect to suggested open hotspots to networks shared by contacts and to hotspots offering paid services | Disabled | This policy setting determines whether users can enable the following WLAN settings: "Connect to suggested open hotspots," "Connect to networks shared by my contacts," and "Enable paid services". |
-| System / Credentials Delegation | Remote host allows delegation of non-exportable credentials | Enabled | When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode. |
-| System / Device Guard | Turn on Virtualization Based Security | Enabled: Virtualization-Based Protection of Code Integrity – Enabled with UEFI Lock | This setting enables virtualization-based protection of Kernel Mode Code Integrity. When this is enabled, kernel mode memory protections are enforced, and the Code Integrity validation path is protected by the Virtualization Based Security feature. |
-| System / Internet Communication Management / Internet Communication | Turn off Internet download for Web publishing and online ordering wizards | Enabled | This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards. These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry. |
-| System / Logon | Turn on convenience PIN sign-in | Disabled | This policy setting allows you to control whether a domain user can sign in using a convenience PIN. |
-| System / Remote Assistance | Configure Solicited Remote Assistance | Disabled | This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. |
-| Windows Components / File Explorer | Turn off Data Execution Prevention for Explorer | Disabled | Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer. |
-| Windows Components / File Explorer | Turn off heap termination on corruption | Disabled | Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later. |
-| Windows Components / Remote Desktop Services / Remote Desktop Connection Client | Do not allow passwords to be saved | Enabled | Controls whether passwords can be saved on this computer from Remote Desktop Connection. |
-| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Always prompt for password upon connection | Enabled | This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection. You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. |
-| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Require secure RPC communication | Enabled | Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. |
-| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Set client connection encryption level | Enabled: High Level | Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. |
-| Windows Components / Windows Security / App and browser protection | Prevent users from modifying settings | Enabled | Prevent users from making changes to the Exploit protection settings area in Windows Security. |
-| Windows Components / Windows Game Recording and Broadcasting | Enables or disables Windows Game Recording and Broadcasting | Disabled | This setting enables or disables the Windows Game Recording and Broadcasting features. If you disable this setting, Windows Game Recording will not be allowed. |
-| Windows Components / Windows PowerShell | Turn on PowerShell Script Block Logging | Enabled | This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. |
-| Windows Components / Windows Remote Management (WinRM) / WinRM Client | Allow Basic authentication | Disabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. |
-| Windows Components / Windows Remote Management (WinRM) / WinRM Client | Disallow Digest authentication | Enabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authentication. |
-| Windows Components / Windows Remote Management (WinRM) / WinRM Service | Allow Basic authentication | Disabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. |
-| Windows Components / Windows Remote Management (WinRM) / WinRM Service | Disallow WinRM from storing RunAs credentials | Enabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins. |
-
-### Windows Defender Antivirus Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|-------------------------------------------------|-----------------------------------------------------------|----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Windows Components / Windows Defender Antivirus | Configure Detection for Potentially Unwanted Applications | Enabled: Block | Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. |
-
-### IE Computer Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|---------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|--------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Windows Components / Internet Explorer | Prevent bypassing SmartScreen Filter warnings | Enabled | This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious. |
-| Windows Components / Internet Explorer | Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet | Enabled | This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet. |
-| Windows Components / Internet Explorer | Specify use of ActiveX Installer Service for installation of ActiveX controls | Enabled | This policy setting allows you to specify how ActiveX controls are installed. If you enable this policy setting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX controls. |
-| Windows Components / Internet Explorer / Internet Control Panel | Prevent ignoring certificate errors | Enabled | This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer. |
-| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Allow software to run or install even if the signature is invalid | Disabled | This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file. |
-| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Check for signatures on downloaded programs | Enabled | This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloading executable programs. |
-| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Turn off encryption support | Enabled: Use | This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each other’s list of supported protocols and versions, and they select the most preferred match. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page | Turn on certificate address mismatch warning | Enabled | This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Access data sources across domains | Enabled: Disable | This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow cut copy or paste operations from the clipboard via script | Enabled: Disable | This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Automatic prompting for file downloads | Enabled: Disable | This policy setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Download unsigned ActiveX controls | Enabled: Disable | This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Enable dragging of content from different domains across windows | Enabled: Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Enable dragging of content from different domains within a window | Enabled: Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Initialize and script ActiveX controls not marked as safe | Enabled: Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Launching applications and files in an IFRAME | Enabled: Disable | This policy setting allows you to manage whether applications may be run, and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Logon options | Enabled: Prompt for user name and password | This policy setting allows you to manage settings for logon options. Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Run .NET Framework-reliant components not signed with Authenticode | Enabled: Disable | This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Run .NET Framework-reliant components signed with Authenticode | Enabled: Disable | This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Show security warning for potentially unsafe files | Enabled: Prompt | This policy setting controls whether the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Userdata persistence | Enabled: Disable | This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Initialize and script ActiveX controls not marked as safe | Enabled: Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Local Machine Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Intranet Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Local Machine Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Restricted Sites Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Access data sources across domains | Enabled: Disable | This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow active scripting | Enabled: Disable | This policy setting allows you to manage whether script code on pages in the zone is run. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow binary and script behaviors | Enabled: Disable | This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow cut copy or paste operations from the clipboard via script | Enabled: Disable | This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow drag and drop or copy and paste files | Enabled: Disable | This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow file downloads | Enabled: Disable | This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow loading of XAML files | Enabled: Disable | This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow META REFRESH | Enabled: Disable | This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Download signed ActiveX controls | Enabled: Disable | This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow only approved domains to use ActiveX controls without prompt | Enabled: Enable | This policy setting controls whether the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow only approved domains to use the TDC ActiveX control | Enabled: Enable | This policy setting controls whether the user can run the TDC ActiveX control on websites. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow scripting of Internet Explorer WebBrowser controls | Enabled: Disable | This policy setting determines whether a page can control embedded WebBrowser controls via script. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow script-initiated windows without size or position constraints | Enabled: Disable | This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow scriptlets | Enabled: Disable | This policy setting allows you to manage whether the user can run scriptlets. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow updates to status bar via script | Enabled: Disable | This policy setting allows you to manage whether script can update the status bar within the zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow VBScript to run in Internet Explorer | Enabled: Disable | This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Automatic prompting for file downloads | Enabled: Disable | This policy setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Download unsigned ActiveX controls | Enabled: Disable | This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Enable dragging of content from different domains across windows | Enabled: Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Enable dragging of content from different domains within a window | Enabled: Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Include local path when user is uploading files to a server | Enabled: Disable | This policy setting controls whether local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Initialize and script ActiveX controls not marked as safe | Enabled: Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Launching applications and files in an IFRAME | Enabled: Disable | This policy setting allows you to manage whether applications may be run, and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Logon options | Enabled: Anonymous logon | This policy setting allows you to manage settings for logon options. Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Navigate windows and frames across different domains | Enabled: Disable | This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Run .NET Framework-reliant components not signed with Authenticode | Enabled: Disable | This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Run .NET Framework-reliant components signed with Authenticode | Enabled: Disable | This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Run ActiveX controls and plugins | Enabled: Disable | This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Script ActiveX controls marked safe for scripting | Enabled: Disable | This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Scripting of Java applets | Enabled: Disable | This policy setting allows you to manage whether applets are exposed to scripts within the zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Show security warning for potentially unsafe files | Enabled: Disable | This policy setting controls whether the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). If you disable this policy setting, these files do not open. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Userdata persistence | Enabled: Disable | This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Web sites in less privileged Web content zones can navigate into this zone | Enabled: Disable | This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Initialize and script ActiveX controls not marked as safe | Enabled: Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Java permissions | Enabled: High Safety | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. High Safety enables applets to run in their sandbox. |
-| Windows Components / Internet Explorer / Security Features / Add-on Management | Remove "Run this time" button for outdated ActiveX controls in Internet Explorer | Enabled | This policy setting allows you to stop users from seeing the "Run this time" button and from running specific outdated ActiveX controls in Internet Explorer. |
-| Windows Components / Internet Explorer / Security Features / Add-on Management | Turn off blocking of outdated ActiveX controls for Internet Explorer | Disabled | This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. |
-| Windows Components / Internet Explorer / Security Features / Consistent Mime Handling | Internet Explorer Processes | Enabled | Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server. This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension. If you enable this policy setting, Internet Explorer requires consistent MIME data for all received files. |
-| Windows Components / Internet Explorer / Security Features / Mime Sniffing Safety Feature | Internet Explorer Processes | Enabled | This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type. If you enable this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type. |
-| Windows Components / Internet Explorer / Security Features / MK Protocol Security Restriction | Internet Explorer Processes | Enabled | The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail. If you enable this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail. |
-| Windows Components / Internet Explorer / Security Features / Notification Bar | Internet Explorer Processes | Enabled | This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes. If you enable this policy setting, the Notification bar will be displayed for Internet Explorer Processes. |
-| Windows Components / Internet Explorer / Security Features / Protection from Zone Elevation | Internet Explorer Processes | Enabled | Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context. If you enable this policy setting, any zone can be protected from zone elevation by Internet Explorer processes. |
-| Windows Components / Internet Explorer / Security Features / Restrict ActiveX Install | Internet Explorer Processes | Enabled | This policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes. If you enable this policy setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes. |
-| Windows Components / Internet Explorer / Security Features / Restrict File Download | Internet Explorer Processes | Enabled | This policy setting enables blocking of file download prompts that are not user initiated. If you enable this policy setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes. |
-| Windows Components / Internet Explorer / Security Features / Scripted Window Security Restrictions | Internet Explorer Processes | Enabled | Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars. If you enable this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes. |
-
-### Custom Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|-------------------|---------------------------------|-------------------------|------------------------|
-| MS Security Guide | Configure SMB v1 server | Disabled | Disable or enable server-side processing of the SMBv1 protocol |
-| MS Security Guide | Configure SMB v1 client driver | Enabled: Disable driver | Configure the startup mode for the kernel mode driver that implements client-side SMBv1 processing (MrxSmb10). This setting includes a dropdown that is activated when the Enabled radio button is selected and that controls the “Start” registry value in HKLM\\SYSTEM\\CurrentControlSet\\Services\\MrxSmb10. |
-| MS Security Guide | Enabled Structured Exception Handling Overwrite Protection (SEHOP)| Enabled | This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option. We recommend that Windows users who are running any of the above operating systems enable this feature to improve the security profile of their systems. |
-| MS Security Guide | WDigest Authentication | Disabled | When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. WDigest is disabled by default in Windows 10. This setting ensures this is enforced. |
-| MS Security Guide | Block Flash activation in Office documents | Enabled | Prevents the Adobe Flash ActiveX control from being loaded by Office applications. |
-| MSS (Legacy) | MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (Protects against packet spoofing) | Highest Protection, source routing is completely disabled | Allowing source routed network traffic allows attackers to obscure their identity and location. |
-| MSS (Legacy) | MSS: (DisableIPSourceRouting) IP source routing protection level (Protects against packet spoofing) | Highest Protection, source routing is completely disabled | Allowing source routed network traffic allows attackers to obscure their identity and location. |
-| MSS (Legacy) | MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes | Disabled | Allowing ICMP redirect of routes can lead to traffic not being routed properly. When disabled, this forces ICMP to be routed via shortest path first. |
-| MSS (Legacy) | MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers | Enabled | Prevents a denial-of-service (DoS) attack against a WINS server. The DoS consists of sending a NetBIOS Name Release Request to the server for each entry in the server's cache, causing a response delay in the normal operation of the server's WINS resolution capability. |
-
-## Controls
-
-The controls enforced in level 4 implement more controls and a more sophisticated security
-configuration than level 5. While they may have a slightly higher impact to
-users or to applications, they enforce a level of security more commensurate
-with the risks facing users with access to sensitive information. Microsoft
-recommends using the Audit/Enforce methodology for controls with an Audit mode,
-and [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for those that do not, with a moderate timeline that
-is anticipated to be slightly longer than the process in level 5.
-
-| Feature Set | Feature | Description |
-|-------------------------------------------------------------|-------------------------------------------------------|----------------|
-| [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) | Enforce memory protection for OS-level controls:
- Control flow guard (CFG)
- Data Execution Protection (DEP)
- Mandatory ASLR
- Bottom-Up ASLR
- High-entropy ASLR
- Validate Exception Chains (SEHOP)
- Validate heap integrity | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at either the operating system level, or at the individual app level. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. dynamically generating code without marking memory as executable). Microsoft recommends gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). |
-| [Attack Surface Reduction (ASR)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)| Configure and enforce [Attack Surface Reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules)| Attack surface reduction controls help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. an Office application spawning a child process). Each control has an Audit mode, and as such, Microsoft recommends the Audit / Enforce Methodology (repeated here):
1) Audit – enable the controls in audit mode, and gather audit data in a centralized location
2) Review – review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure
3) Enforce – Deploy the configuration of any exemptions and convert the control to enforce mode |
-| [Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard) | Configure and enforce Network Protection | Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It expands the scope of Windows Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). There is a risk to application compatibility, as a result of false positives in flagged sites. Microsoft recommends deploying using the Audit / Enforce Methodology. |
-
-## Behaviors
-
-The behaviors recommended in level 4 implement a more sophisticated security process. While they may require a more sophisticated organization, they enforce
-a level of security more commensurate with the risks facing users with access to
-sensitive information.
-
-| Feature Set| Feature | Description |
-|------------|----------|--------------|
-| Antivirus | Configure Protection Updates to failover to retrieval from Microsoft | Sources for Windows Defender Antivirus Protection Updates can be provided in an ordered list. If you are using internal distribution, such as SCCM or WSUS, configure Microsoft Update lower in the list as a failover. |
-| OS Security Updates | Deploy Windows Quality Updates within 4 days | As the time between release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, engineering a process that provides the ability to validate and deploy quality updates addressing known security vulnerabilities is a critical aspect of security hygiene.|
-| Helpdesk| 1:1 Administration| A simple and common model for helpdesk support is to add the Helpdesk group as a permanent member of the Local Administrators group of every device. If any device is compromised and helpdesk can connect to it, then these credentials can be used to obtain privilege on any / all other devices. Design and implement a strategy to provide helpdesk support without providing 1:all admin access – constraining the value of these Helpdesk credentials |
-
-
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-administrator-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-administrator-security.md
similarity index 60%
rename from windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-administrator-security.md
rename to windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-administrator-security.md
index 7aa97de40d..8b9d1f63c3 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-administrator-security.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-administrator-security.md
@@ -1,5 +1,5 @@
---
-title: Level 1 enterprise administrator workstation security
+title: Level 5 enterprise administrator workstation security
description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 1 enterprise administrator security configuration.
keywords: virtualization, security, malware
ms.prod: w10
@@ -11,11 +11,11 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/05/2018
+ms.date: 06/11/2019
ms.reviewer:
---
-# Level 1 enterprise administrator workstation security configuration
+# Level 5 enterprise administrator workstation security configuration
**Applies to**
@@ -23,4 +23,4 @@ ms.reviewer:
Administrators (particularly of identity or security systems) present the highest risk to the organization−through data theft, data alteration, or service disruption.
-A level 1 configuration should include all the configurations from levels 5, 4, 3, and 2 and additional controls. We are planning recommendations for the additional controls now, so check back soon for level 1 enterprise administrator security configuration guidance!
+A level 5 configuration should include all the configurations from levels 4, 3, 2, and 1 and adds additional controls. We are planning recommendations for the additional controls now, so check back soon for level 5 enterprise administrator security configuration guidance!
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md
deleted file mode 100644
index e7792091b1..0000000000
--- a/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md
+++ /dev/null
@@ -1,245 +0,0 @@
----
-title: Level 5 enterprise security configuration
-description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 5 enterprise security configuration.
-keywords: virtualization, security, malware
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 04/05/2018
-ms.reviewer:
----
-
-# Level 5 enterprise security configuration
-
-**Applies to**
-
-- Windows 10
-
-Level 5 is the minimum security configuration for an enterprise device.
-Microsoft recommends the following configuration for level 5 devices.
-
-## Policies
-
-The policies in level 5 enforce a reasonable security level while minimizing the impact to users or to applications.
-Microsoft recommends using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for these security configurations and controls, noting that the timeline can generally be short given the limited potential impact of the security controls.
-
-### Security Template Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|-------------------------|--------------------------------------------------------------------------------------------------|---------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Password Policy | Enforce password history | 24 | The number of unique new passwords that must be associated with a user account before an old password can be reused. |
-| Password Policy | Minimum password length | 14 | The least number of characters that a password for a user account may contain. |
-| Password Policy | Password must meet complexity requirements | Enabled | Determines whether passwords must meet complexity requirements:
1) Not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither check is case sensitive.
The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed to not be included in the password. Tokens that are less than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.
2) Contain characters from three of the following categories:
- Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
- Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
- Base 10 digits (0 through 9)
-Non-alphanumeric characters (special characters):
(~!@#$%^&*_-+=`\|\\(){}[]:;"'<>,.?/)
Currency symbols such as the Euro or British Pound are not counted as special characters for this policy setting.
- Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. |
-| Password Policy | Store passwords using reversible encryption | Disabled | Determines whether the operating system stores passwords using reversible encryption. |
-| Security Options | Accounts: Guest account status | Disabled | Determines if the Guest account is enabled or disabled. |
-| Security Options | Domain member: Disable machine account password changes | Disabled | Determines whether a domain member periodically changes its computer account password. |
-| Security Options | Domain member: Maximum machine account password age | 30 | Determines how often a domain member will attempt to change its computer account password |
-| Security Options | Domain member: require strong (Windows 2000 or later) session key | Enabled | Determines whether 128-bit key strength is required for encrypted secure channel data |
-| Security Options | Interactive logon: Machine inactivity limit | 900 | The number of seconds of inactivity before the session is locked |
-| Security Options | User Account Control: Admin approval mode for the built-in administrator | Enabled | The built-in Administrator account uses Admin Approval Mode - any operation that requires elevation of privilege will prompt to user to approve that operation |
-| Security Options | User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent on the secure desktop | When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. |
-| Security Options | User Account Control: Detect application installations and prompt for elevation | Enabled | When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. |
-| Security Options | User Account Control: Run all Administrators in admin approval mode | Enabled | This policy must be enabled, and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. |
-| Security Options | User Account Control: Virtualize file and registry write failures to per-user locations | Enabled | This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software. |
-| User Rights Assignments | Access Credential Manager as a trusted caller | No One (blank) | This setting is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users saved credentials might be compromised if this privilege is given to other entities. |
-| User Rights Assignments | Act as part of the operating system | No One (blank) | This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. |
-| User Rights Assignments | Allow log on locally | Administrators; Users | Determines which users can log on to the computer |
-| User Rights Assignments | Back up files and directories | Administrators | Determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system |
-| User Rights Assignments | Create a pagefile | Administrators | Determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file |
-| User Rights Assignments | Create a token object | No One (blank) | Determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. |
-| User Rights Assignments | Create global objects | Administrators; LOCAL SERVICE; NETWORK SERVICE; SERVICE | This security setting determines whether users can create global objects that are available to all sessions. |
-| User Rights Assignments | Create permanent shared objects | No One (blank) | Determines which accounts can be used by processes to create a directory object using the object manager |
-| User Rights Assignments | Create symbolic links | Administrators | Determines if the user can create a symbolic link from the computer he is logged on to |
-| User Rights Assignments | Debug programs | Administrators | Determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. |
-| User Rights Assignments | Deny access to this computer from the network | Guests; NT AUTHORITY\\Local Account | Determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. |
-| User Rights Assignments | Deny log on locally | Guests | Determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies. |
-| User Rights Assignments | Deny log on through Remote Desktop Services | Guests; NT AUTHORITY\\Local Account | Determines which users and groups are prohibited from logging on as a Remote Desktop Services client |
-| User Rights Assignments | Force shutdown from a remote system | Administrators | Determines which users can shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. |
-| User Rights Assignments | Increase scheduling priority | Administrators | Determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
-| User Rights Assignments | Load and unload device drivers | Administrators | Determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
-| User Rights Assignments | Manage auditing and security log | Administrators | Determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. |
-| User Rights Assignments | Modify firmware environment variables | Administrators | Determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. |
-| User Rights Assignments | Restore files and directories | Administrators | Determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object |
-| User Rights Assignments | Take ownership of files or other objects | Administrators | Determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads |
-
-### Advanced Audit Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|--------------------|---------------------------------------|---------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Account Logon | Audit Credential Validation | Success and Failure | Audit events generated by validation tests on user account logon credentials. Occurs only on the computer that is authoritative for those credentials. |
-| Account Management | Audit Security Group Management | Success | Audit events generated by changes to security groups, such as creating, changing or deleting security groups, adding or removing members, or changing group type. |
-| Account Management | Audit User Account Management | Success and Failure | Audit changes to user accounts. Events include creating, changing, deleting user accounts; renaming, disabling, enabling, locking out, or unlocking accounts; setting or changing a user account’s password; adding a security identifier (SID) to the SID History of a user account; configuring the Directory Services Restore Mode password; changing permissions on administrative user accounts; backing up or restoring Credential Manager credentials |
-| Detailed Tracking | Audit PNP Activity | Success | Audit when plug and play detects an external device |
-| Detailed Tracking | Audit Process Creation | Success | Audit events generated when a process is created or starts; the name of the application or user that created the process is also audited |
-| Logon/ Logoff | Audit Account Lockout | Failure | Audit events generated by a failed attempt to log on to an account that is locked out |
-| Logon/ Logoff | Audit Group Membership | Success | Audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. |
-| Logon/ Logoff | Audit Logon | Success and Failure | Audit events generated by user account logon attempts on the computer |
-| Logon/ Logoff | Audit Other Logon / Logoff Events | Success and Failure | Audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting, such as Terminal Services session disconnections, new Terminal Services sessions locking and unlocking a workstation, invoking or dismissing a screen saver, detection of a Kerberos replay attack, or access to a wireless network granted to a user or computer account |
-| Logon/ Logoff | Audit Special Logon | Success | Audit events generated by special logons such as the use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level, or a logon by a member of a Special Group (Special Groups enable you to audit events generated when a member of a certain group has logged on to your network) |
-| Object Access | Audit Detailed File Share | Failure | Audit attempts to access files and folders on a shared folder; the Detailed File Share setting logs an event every time a file or folder is accessed |
-| Object Access | Audit File Share | Success and Failure | Audit attempts to access a shared folder; an audit event is generated when an attempt is made to access a shared folder |
-| Object Access | Audit Other Object Access Events | Success and Failure | Audit events generated by the management of task scheduler jobs or COM+ objects |
-| Object Access | Audit Removable Storage | Success and Failure | Audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. |
-| Policy Change | Audit Audit Policy Change | Success | Audit changes in the security audit policy settings |
-| Policy Change | Audit Authentication Policy Change | Success | Audit events generated by changes to the authentication policy |
-| Policy Change | Audit MPSSVC Rule-Level Policy Change | Success and Failure | Audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. |
-| Policy Change | Audit Other Policy Change Events | Failure | Audit events generated by other security policy changes that are not audited in the policy change category, such as Trusted Platform Module (TPM) configuration changes, kernel-mode cryptographic self tests, cryptographic provider operations, cryptographic context operations or modifications, applied Central Access Policies (CAPs) changes, or boot Configuration Data (BCD) modifications |
-| Privilege Use | Audit Sensitive Privilege Use | Success and Failure | Audit events generated when sensitive privileges (user rights) are used |
-| System | Audit Other System Events | Success and Failure | Audit any of the following events: Startup and shutdown of the Windows Firewall service and driver, security policy processing by the Windows Firewall Service, cryptography key file and migration operations. |
-| System | Audit Security State Change | Success | Audit events generated by changes in the security state of the computer such as startup and shutdown of the computer, change of system time, recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. |
-| System | Audit Security System Extension | Success | Audit events related to security system extensions or services |
-| System | Audit System Integrity | Success and Failure | Audit events that violate the integrity of the security subsystem |
-
-### Windows Defender Firewall Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|----------------------------|---------------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a domain connection |
-| Domain Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a domain connection |
-| Domain Profile / Logging | Size Limit | 16384 | Sets the firewall log file size for a domain connection |
-| Domain Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the domain profile |
-| Domain Profile / State | Firewall State | On | Enables the firewall when connected to the domain profile |
-| Domain Profile / State | Inbound Connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the domain profile |
-| Private Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a private connection |
-| Private Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a private connection |
-| Private Profile / Logging | Size limit | 16384 | Sets the firewall log file size for a private connection |
-| Private Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the private profile |
-| Private Profile / State | Firewall state | On | Enables the firewall when connected to the private profile |
-| Private Profile / State | Inbound connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the private profile |
-| Public Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a public connection |
-| Public Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a public connection |
-| Public Profile / Logging | Size Limit | 16384 | Sets the firewall log file size for a public connection |
-| Public Profile / Settings | Apply local connection security rules | No | Ensures local connection rules will not be merged with Group Policy settings in the domain |
-| Public Profile / Settings | Apply local firewall rules | No | Users cannot create new firewall rules |
-| Public Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the public profile |
-| Public Profile / State | Firewall state | On | Enables the firewall when connected to the public profile |
-| Public Profile / State | Inbound connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the public profile |
-
-### Computer Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|---------------------------------------------------------------------------|------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Network / Lanman Workstation | Enable insecure guest logons | Disabled | Determines if the SMB client will allow insecure guest logons to an SMB server |
-| System / Device Guard | Turn on Virtualization Based Security | Enabled: SecureBoot and DMA Protection | Specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot and can optionally be enabled with the use of DMA Protections. DMA protections require hardware support and will only be enabled on correctly configured devices. |
-| System / Early Launch Antimalware | Boot-Start Driver Initialization Policy | Enabled: Good, Unknown and bad but critical | Allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. |
-| System / Power Management / Sleep Settings | Require a password when a computer wakes (on battery) | Enabled | Specifies whether the user is prompted for a password when the system resumes from sleep |
-| System / Power Management / Sleep Settings | Require a password when a computer wakes (plugged in) | Enabled | Specifies whether the user is prompted for a password when the system resumes from sleep |
-| System / Remote Procedure Call | Restrict Unauthenticated RPC clients | Enabled: Authenticated | Controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. |
-| Windows Components / App runtime | Allow Microsoft accounts to be optional | Enabled | Lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. |
-| Windows Components / AutoPlay Policies | Disallow Autoplay for non-volume devices | Enabled | Disallows AutoPlay for MTP devices like cameras or phones. |
-| Windows Components / AutoPlay Policies | Set the default behavior for AutoRun | Enabled: Do not execute any autorun commands | Sets the default behavior for Autorun commands. |
-| Windows Components / AutoPlay Policies | Turn off Autoplay | Enabled: All Drives | Allows you to turn off the Autoplay feature. |
-| Windows Components / Biometrics / Facial Features | Configure enhanced anti-spoofing | Enabled | Determines whether enhanced anti-spoofing is required for Windows Hello face authentication |
-| Windows Components / BitLocker Drive Encryption | Choose drive encryption method and cipher strength (Windows 10) | Enabled: XTA-AES-256 for operating system drives and fixed drives and AES-CBC-256 for removable drives | Allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. |
-| Windows Components / BitLocker Drive Encryption | Disable new DMA devices when this computer is locked | Enabled | Allows you to block direct memory access (DMA) for all Thunderbolt hot pluggable PCI downstream ports until a user logs into Windows |
-| Windows Components / BitLocker Drive Encryption / Operating System Drives | Allow enhanced PINs for startup | Enabled | Allows you to configure whether enhanced startup PINs are used with BitLocker |
-| Windows Components / BitLocker Drive Encryption / Operating System Drives | Allow Secure Boot for integrity validation | Enabled | Allows you to configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives. |
-| Windows Components / Event Log Service / Application | Specify the maximum log file size (KB) | Enabled: 32768 | Specifies the maximum size of the log file in kilobytes. |
-| Windows Components / Event Log Service / Security | Specify the maximum log file size (KB) | Enabled: 196608 | Specifies the maximum size of the log file in kilobytes. |
-| Windows Components / Event Log Service / System | Specify the maximum log file size (KB) | Enabled: 32768 | Specifies the maximum size of the log file in kilobytes. |
-| Windows Components / Microsoft Edge | Configure Windows Defender SmartScreen | Enabled | Configure whether to turn on Windows Defender SmartScreen to provide warning messages to help protect your employees from potential phishing scams and malicious software |
-| Windows Components / Windows Defender SmartScreen / Explorer | Configure Windows Defender SmartScreen | Warn and prevent bypass | Allows you to turn Windows Defender SmartScreen on or off |
-| Windows Components / Microsoft Edge | Prevent bypassing Windows Defender SmartScreen prompts for files | Enabled | This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files. |
-| Windows Components / Windows Defender SmartScreen / Microsoft Edge | Prevent bypassing Windows Defender SmartScreen prompts for sites | Enabled | Lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites |
-| Windows Components / Windows Installer | Allow user control over installs | Disabled | Permits users to change installation options that typically are available only to system administrators |
-| Windows Components / Windows Installer | Always install with elevated privileges | Disabled | Directs Windows Installer to use elevated permissions when it installs any program on the system |
-| Windows Components / Windows Logon Options | Sign-in last interactive user automatically after a system-initiated restart | Disabled | Controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system |
-| Windows Components / Windows Remote Management (WinRM) / WinRM Client | Allow unencrypted traffic | Disabled | Manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network |
-| Windows Components / Windows Remote Management (WinRM) / WinRM Service | Allow unencrypted traffic | Disabled | Manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. |
-
-### Windows Defender Antivirus Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|------------------------------------------------------------------------|-----------------------------------------------------------|----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Windows Components / Windows Defender Antivirus | Turn off Windows Defender Antivirus | Disabled | Turns off Windows Defender Antivirus |
-| Windows Components / Windows Defender Antivirus | Configure detection for potentially unwanted applications | Enabled: Audit | Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. |
-| Windows Components / Windows Defender Antivirus / MAPS | Join Microsoft MAPS | Enabled: Advanced MAPS | Allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. |
-| Windows Components / Windows Defender Antivirus / MAPS | Send file samples when further analysis is required | Enabled: Send safe samples | Configures behavior of samples submission when opt-in for MAPS telemetry is set |
-| Windows Components / Windows Defender Antivirus / Real-time Protection | Turn off real-time protection | Disabled | Turns off real-time protection prompts for known malware detection |
-| Windows Components / Windows Defender Antivirus / Real-time Protection | Turn on behavior monitoring | Enabled | Allows you to configure behavior monitoring. |
-| Windows Components / Windows Defender Antivirus / Scan | Scan removable drives | Enabled | Allows you to manage whether to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. |
-| Windows Components / Windows Defender Antivirus / Scan | Specify the interval to run quick scans per day | 24 | Allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). |
-| Windows Components / Windows Defender Antivirus / Scan | Turn on e-mail scanning | Enabled | Allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments |
-
-### User Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|----------------------------------------|-------------------------------------------------------------|--------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Start Menu and Taskbar / Notifications | Turn off toast notifications on the lock screen | Enabled | Turns off toast notifications on the lock screen. |
-| Windows Components / Cloud Content | Do not suggest third-party content in the Windows spotlight | Enabled | Windows spotlight features like lock screen spotlight, suggested apps in Start menu or Windows tips will no longer suggest apps and content from third-party software publishers |
-
-### IE Computer Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|---------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Windows Components / Internet Explorer | Prevent managing SmartScreen Filter | Enabled: On | Prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. |
-| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Check for server certificate revocation | Enabled | Allows you to manage whether Internet Explorer will check revocation status of servers' certificates |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on Cross-Site Scripting Filter | Enabled: Enable | Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on Protected Mode | Enabled: Enable | Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Use Pop-up Blocker | Enabled: Enable | Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Java permissions | Enabled: High Safety | Allows you to manage permissions for Java applets. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Local Machine Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-down Internet Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Restricted Sites Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on Cross-Site Scripting Filter | Enabled: Enable | Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on Protected Mode | Enabled: Enable | Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Trusted Sites Zone | Java permissions | Enabled: Enable | Allows you to configure policy settings according to the default for the selected security level, such Low, Medium, or High. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Use Pop-up Blocker | Enabled: Enable | Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. |
-| Windows Components / Internet Explorer / Security Features | Allow fallback to SSL 3.0 (Internet Explorer) | Enabled: No sites | Allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails. |
-
-### LAPS
-
-Download and install the [Microsoft Local Admin Password Solution (LAPS)](https://www.microsoft.com/download/details.aspx?id=46899).
-
-| Feature | Policy Setting | Policy Value | Description |
-|---------|----------------------------------------|--------------|-------------------------------|
-| LAPS | Enable local admin password management | Enabled | Activates LAPS for the device |
-
-### Custom Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|-----------------------------------------------------------------------|-----------------------------------------------------------|--------------|---------------------------------------------------------------------------------------|
-| Computer Configuration / Administrative Templates / MS Security Guide | Apply UAC restrictions to local accounts on network logon | Enabled | Filters the user account token for built-in administrator accounts for network logons |
-
-### Services
-
-| Feature | Policy Setting | Policy Value | Description |
-|----------------|-----------------------------------|--------------|-----------------------------------------------------------------------------------|
-| Scheduled Task | XblGameSaveTask | Disabled | Syncs save data for Xbox Live save-enabled games |
-| Services | Xbox Accessory Management Service | Disabled | Manages connected Xbox accessories |
-| Services | Xbox Game Monitoring | Disabled | Monitors Xbox games currently being played |
-| Services | Xbox Live Auth Manager | Disabled | Provides authentication and authorization services for interactive with Xbox Live |
-| Services | Xbox Live Game Save | Disabled | Syncs save data for Xbox live save enabled games |
-| Services | Xbox Live Networking Service | Disabled | Supports the Windows.Networking.XboxLive API |
-
-## Controls
-
-The controls enabled in level 5 enforce a reasonable security level while minimizing the impact to users and applications.
-
-| Feature | Config | Description |
-|-----------------------------------|-------------------------------------|--------------------|
-| [Windows Defender ATP EDR](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | Deployed to all devices | The Windows Defender ATP endpoint detection and response (EDR) provides actionable and near real-time detection of advanced attacks. EDR helps security analysts , and aggregates alerts with the same attack techniques or attributed to the same attacker into an an entity called an *incident*. An incident helps analysts prioritize alerts, collectively investigate the full scope of a breach, and respond to threats. Windows Defender ATP EDR is not expected to impact users or applications, and it can be deployed to all devices in a single step. |
-| [Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard) | Enabled for all compatible hardware | Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. There is a small risk to application compatibility, as [applications will break](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements#application-requirements) if they require NTLMv1, Kerberos DES encryption, Kerberos unconstrained delegation, or extracting the Keberos TGT. As such, Microsoft recommends deploying Credential Guard using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). |
-| [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/) | Default browser | Microsoft Edge in Windows 10 provides better security than Internet Explorer 11 (IE11). While you may still need to leverage IE11 for compatibility with some sites, Microsoft recommends configuring Microsoft Edge as the default browser, and building an Enterprise Mode Site List to redirect to IE11 only for those sites that require it. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Enterprise Mode Site List, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). |
-| [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Enabled on compatible hardware | Windows Defender Application Guard uses a hardware isolation approach. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated container, which is separate from the host operating system and enabled by Hyper-V. If the untrusted site turns out to be malicious, the isolated container protects the host PC, and the attacker can't get to your enterprise data. There is a small risk to application compatibility, as some applications may require interaction with the host PC but may not yet be on the list of trusted web sites for Application Guard. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Network Isolation Settings, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). |
-
-## Behaviors
-
-The behaviors recommended in level 5 enforce a reasonable security level while minimizing the impact to users or to applications.
-
-| Feature | Config | Description |
-|---------|-------------------|-------------|
-| OS security updates | Deploy Windows Quality Updates within 7 days of release | As the time between the release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, a critical aspect of security hygiene is having an engineering process that quickly validates and deploys Quality Updates that address security vulnerabilities. |
-
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md
index c7db094d6f..fd0c3af5a7 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md
@@ -11,7 +11,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/05/2018
+ms.date: 06/11/2019
ms.reviewer:
---
@@ -21,45 +21,56 @@ ms.reviewer:
- Windows 10
-Security configuration is complex. With thousands of group policies available in Windows, choosing the “best” setting is difficult.
-It’s not always obvious which permutations of policies are required to implement a complete scenario, and there are often unintended consequences of some security lockdowns.
+Security configuration is complex. When hardening your deployment of Windows 10, how should you prioritize the hardware you buy, policies you enforce, controls you configure, and behavior your staff exhibit?
-Because of this, with each release of Windows, Microsoft publishes [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines), an industry-standard configuration that is broadly known and well-tested.
-However, many organizations have discovered that this baseline sets a very high bar.
-While appropriate for organizations with very high security needs such as those persistently targeted by Advanced Persistent Threats, some organizations have found that the cost of navigating the potential compatibility impact of this configuration is prohibitively expensive given their risk appetite.
-They can’t justify the investment in that very high level of security with an ROI.
+Even when configuring policies, with thousands of policies available in Windows, choosing the “best” setting is difficult. It’s not always obvious which permutations of policies are required to implement a complete scenario, and there are often unintended consequences of security lockdowns. Because of this, with each release of Windows, Microsoft publishes [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines), an industry-standard configuration that is broadly known and well-tested. However, many organizations have discovered that this baseline sets a very high bar for some scenarios.
-As such, Microsoft is introducing a new taxonomy for security configurations for Windows 10.
-This new security configuration framework, which we call the SECCON framework (remember "WarGames"?), organizes devices into one of 5 distinct security configurations.
+To help you prioritize your endpoint hardening work, Microsoft is introducing a new taxonomy for security configurations for Windows 10. In this initial preview, we are simply listing recommended hardware, policies, controls, and behaviors in order to gather feedback from more customers and security experts in order to refine the framework and prioritize opportunities to automate.
+
+This new security configuration framework, which we affectionately nickname the SecCon framework (remember "WarGames"?), organizes devices into one of 5 distinct security configurations.
-- [Level 5 Enterprise Security](level-5-enterprise-security.md) – We recommend this configuration as the minimum security configuration for an enterprise device. Recommendations for this level are generally straightforward and are designed to be deployable within 30 days.
-- [Level 4 Enterprise High Security](level-4-enterprise-high-security.md) – We recommend this configuration for devices where users access sensitive or confidential information. Some of the controls may have an impact to app compat, and therefore will often go through an audit-configure-enforce workflow. Recommendations for this level are generally accessible to most organizations and are designed to be deployable within 90 days.
-- [Level 3 Enterprise VIP Security](level-3-enterprise-vip-security.md) – We recommend this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (as one example, one organization identified users who handle data whose theft would directly and seriously impact their stock price). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration. Recommendations for this level can be complex (for example, removing local admin rights for some organizations can be a long project in and of itself) and can often go beyond 90 days.
-- [Level 2 DevOps Workstation](level-2-enterprise-devops-security.md) – We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. Level 2 guidance is coming soon!
-- [Level 1 Administrator Workstation](level-1-enterprise-administrator-security.md) – Administrators (particularly of identity or security systems) present the highest risk to the organization, through data theft, data alteration, or service disruption. Level 1 guidance is coming soon!
+- [Level 1 enterprise basic security](level-1-enterprise-basic-security.md) – We recommend this configuration as the minimum security configuration for an enterprise device. Recommendations for this level are generally straightforward and are designed to be deployable within 30 days.
+- [Level 2 enterprise enhanced security](level-2-enterprise-enhanced-security.md) – We recommend this configuration for devices where users access sensitive or confidential information. Some of the controls may have an impact to app compat, and therefore will often go through an audit-configure-enforce workflow. Recommendations for this level are generally accessible to most organizations and are designed to be deployable within 90 days.
+- [Level 3 enterprise high security](level-3-enterprise-high-security.md) – We recommend this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (as one example, one organization identified users who handle data whose theft would directly and seriously impact their stock price). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration. Recommendations for this level can be complex (for example, removing local admin rights for some organizations can be a long project in and of itself) and can often go beyond 90 days.
+- [Level 4 DevOps workstation](level-4-enterprise-devops-security.md) – We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. Level 4 guidance is coming soon!
+- [Level 5 administrator workstation](level-5-enterprise-administrator-security.md) – Administrators (particularly of identity or security systems) present the highest risk to the organization, through data theft, data alteration, or service disruption. Level 5 guidance is coming soon!
The security configuration framework divides configuration into Productivity Devices and Privileged Access Workstations. This document will focus on Productivity Devices
-(Levels 5, 4, and 3).
+(Levels 1, 2, and 3).
Microsoft’s current guidance on [Privileged Access Workstations](http://aka.ms/privsec) are part of the [Securing Privileged Access roadmap](http://aka.ms/privsec).
Microsoft recommends reviewing and categorizing your devices, and then configuring them using the prescriptive guidance for that level.
-Level 5 should be considered the minimum baseline for an enterprise device, and Microsoft recommends increasing the protection based on both threat environment and risk appetite.
+Level 1 should be considered the minimum baseline for an enterprise device, and Microsoft recommends increasing the protection based on both threat environment and risk appetite.
## Security control classification
-The recommendations are grouped into three categories.
-
-
+The recommendations are grouped into four categories.
+| Hardware | Policies | Controls | Behaviors |
+|----------|----------|----------|-----------|
+| Microsoft recommends acquiring hardware that supports the specified hardware features, in order to support Windows security features | Microsoft recommends enforcing the configuration of the specified policies in the manner described, to harden Windows to the designated level of security | Microsoft recommends enabling the security controls specified in the manner described, to provide protections appropriate to the designated level of security. | Microsoft recommends changing organizational behavior towards the endpoints in the manner described. |
## Security control deployment methodologies
The way Microsoft recommends implementing these controls depends on the
auditability of the control–there are two primary methodologies.
-
+### Rings
+Security controls which don't support an audit mode should be deployed gradually. A typical deployment methodology:
+1. Test ring - deploy to a lab to validate "must test" apps prior to enforcement of any configuration
+2. Pilot ring - deploy to a representative sample of 2-5% of the environment
+3. Fast ring - deploy to the next 25% of the environment
+4. Slow ring - deploy to the remainder of the organization
+
+### Audit / Enforce
+
+Security controls which support an audit mode can be deployed using the following methodology:
+
+1. Audit - enable the control in audit mode, and gather audit data in a centralized location
+2. Review - review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure
+3. Enforce - deploy the configuration of any exemptions and convert the control to enforce mode
diff --git a/windows/threat-protection/docfx.json b/windows/threat-protection/docfx.json
index 98413f9962..12bbd676fa 100644
--- a/windows/threat-protection/docfx.json
+++ b/windows/threat-protection/docfx.json
@@ -31,11 +31,9 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
- "uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
- "ms.author": "justinha",
"ms.date": "04/05/2017",
"_op_documentIdPathDepotMapping": {
"./": {
diff --git a/windows/threat-protection/index.md b/windows/threat-protection/index.md
deleted file mode 100644
index 1417ec0534..0000000000
--- a/windows/threat-protection/index.md
+++ /dev/null
@@ -1,3 +0,0 @@
----
-redirect_url: https://docs.microsoft.com/windows/security/threat-protection/
----
diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json
index 1903ec7f9a..b86924bf53 100644
--- a/windows/whats-new/docfx.json
+++ b/windows/whats-new/docfx.json
@@ -31,11 +31,9 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
- "uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
- "ms.author": "trudyha",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
diff --git a/windows/whats-new/images/system-guard.png b/windows/whats-new/images/system-guard.png
new file mode 100644
index 0000000000..586f63d4da
Binary files /dev/null and b/windows/whats-new/images/system-guard.png differ
diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md
index de2548056a..c89b8110a0 100644
--- a/windows/whats-new/ltsc/index.md
+++ b/windows/whats-new/ltsc/index.md
@@ -6,7 +6,6 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
-ms.date: 12/27/2018
ms.localizationpriority: low
ms.topic: article
---
@@ -42,9 +41,9 @@ With the LTSC servicing model, customers can delay receiving feature updates and
>[!IMPORTANT]
>The Long Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181).
-For detailed information about Windows 10 servicing, see [Overview of Windows as a service](/windows/deployment/update/waas-overview.md).
+For detailed information about Windows 10 servicing, see [Overview of Windows as a service](/windows/deployment/update/waas-overview).
## See Also
[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
-[Windows 10 - Release information](https://docs.microsoft.com/en-us/windows/windows-10/release-information): Windows 10 current versions by servicing option.
\ No newline at end of file
+[Windows 10 - Release information](https://docs.microsoft.com/windows/windows-10/release-information): Windows 10 current versions by servicing option.
\ No newline at end of file
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
index c20bd31308..581fc39b20 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
@@ -1,14 +1,14 @@
---
title: What's new in Windows 10 Enterprise 2015 LTSC
ms.reviewer:
-manager: dansimp
-ms.author: macapara
+manager: laurawi
+ms.author: greglin
description: New and updated IT Pro content about new features in Windows 10 Enterprise 2015 LTSC (also known as Windows 10 Enterprise 2015 LTSB).
keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2015 LTSC"]
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: mjcaparas
+author: greg-lindsay
ms.localizationpriority: low
ms.topic: article
---
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
index dfa92423f4..ebf6fb48d9 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
@@ -1,14 +1,14 @@
---
title: What's new in Windows 10 Enterprise 2016 LTSC
ms.reviewer:
-manager: dansimp
-ms.author: macapara
+manager: laurawi
+ms.author: greglin
description: New and updated IT Pro content about new features in Windows 10 Enterprise 2016 LTSC (also known as Windows 10 Enterprise 2016 LTSB).
keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2016 LTSC"]
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: mjcaparas
+author: greg-lindsay
ms.localizationpriority: low
ms.topic: article
---
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index c60b88f548..dad076a535 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -1,14 +1,14 @@
---
title: What's new in Windows 10 Enterprise 2019 LTSC
ms.reviewer:
-manager: dansimp
-ms.author: macapara
+manager: laurawi
+ms.author: greglin
description: New and updated IT Pro content about new features in Windows 10 Enterprise 2019 LTSC (also known as Windows 10 Enterprise 2019 LTSB).
keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2019 LTSC"]
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: mjcaparas
+author: greg-lindsay
ms.localizationpriority: low
ms.topic: article
---
@@ -36,8 +36,7 @@ The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC use
## Microsoft Intune
->Microsoft Intune supports LTSC 2019 and later.
-
+>Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows Update for Business (WUfB) does not currently support any LTSC releases, therefore you should use WSUS or Configuration Manager for patching.
## Security
@@ -279,33 +278,6 @@ To learn more about Autopilot self-deploying mode and to see step-by-step instru
IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset).
-## Sign-in
-
-### Faster sign-in to a Windows 10 shared pc
-
-If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc) in a flash!
-
-**To enable fast sign-in:**
-1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise 2019 LTSC.
-2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in.
-3. Sign-in to a shared PC with your account. You'll notice the difference!
-
- 
-
-### Web sign-in to Windows 10
-
-Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML).
-
-**To try out web sign-in:**
-1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs).
-2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in.
-3. On the lock screen, select web sign-in under sign-in options.
-4. Click the “Sign in” button to continue.
-
-
-
-## Deployment
-
### MBR2GPT.EXE
MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise 2019 LTSC (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
@@ -316,10 +288,6 @@ Additional security features of Windows 10 that are enabled when you boot in UEF
For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt).
-### Windows Autopilot
-
-Information about Windows Autopilot support for LTSC 2019 is pending.
-
### DISM
The following new DISM commands have been added to manage feature updates:
@@ -372,6 +340,31 @@ Portions of the work done during the offline phases of a Windows update have bee
SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
+## Sign-in
+
+### Faster sign-in to a Windows 10 shared pc
+
+If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc) in a flash!
+
+**To enable fast sign-in:**
+1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise 2019 LTSC.
+2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in.
+3. Sign-in to a shared PC with your account. You'll notice the difference!
+
+ 
+
+### Web sign-in to Windows 10
+
+Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML).
+
+**To try out web sign-in:**
+1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs).
+2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in.
+3. On the lock screen, select web sign-in under sign-in options.
+4. Click the “Sign in” button to continue.
+
+
+
## Windows Analytics
### Upgrade Readiness
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index 46e7f7bca5..0e1be04497 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -126,7 +126,7 @@ New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10
You can read more about ransomware mitigations and detection capability in Windows Defender Advanced Threat Protection in the blog: [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/).
-Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see [Windows Defender ATP for Windows 10 Creators Update](https://technet.microsoft.com/en-au/windows/mt782787).
+Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see [Windows Defender ATP for Windows 10 Creators Update](https://technet.microsoft.com/windows/mt782787).
### Windows Defender Antivirus
Windows Defender is now called Windows Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index 1d839ac866..61b20e6870 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -36,7 +36,7 @@ This article lists new and updated features and content that are of interest to
Windows 10 Education support has been added to Windows 10 Subscription Activation.
-With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-subscription-activation).
+With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation).
### SetupDiag
@@ -51,7 +51,7 @@ SetupDiag is a command-line tool that can help diagnose why a Windows 10 update
## Servicing
- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with System Center Configuration Manager content coming soon!
-- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/en-us/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
+- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again.
@@ -116,10 +116,18 @@ The draft release of the [security configuration baseline settings](https://blog
This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.
- [Allow COM Object Registration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
+#### System Guard
+
+[System Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) has added a new feature in this version of Windows called **SMM Firmware Measurement**. This feature is built on top of [System Guard Secure Launch](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, OS memory and secrets are protected from SMM. There are currently no devices out there with compatible hardware, but they will be coming out in the next few months.
+
+This new feature is displayed under the Device Security page with the string “Your device exceeds the requirements for enhanced hardware security” if configured properly:
+
+
+
### Identity Protection
- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD.
-- [Streamlined Windows Hello PIN reset experience](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web.
+- [Streamlined Windows Hello PIN reset experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web.
- Sign-in with [Password-less](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience!
- [Remote Desktop with Biometrics](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
@@ -131,13 +139,11 @@ The draft release of the [security configuration baseline settings](https://blog
## Microsoft Edge
-Windows 10, version 1903 offers new Group Policies and [MDM policies](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser) for managing Microsoft Edge. You can silently enable BitLocker for standard Azure Active Directory-joined users. You can also more easily manage the entire Microsoft 365 experience for users with the Microsoft 365 Admin Center.
-
Several new features are coming in the next version of Edge. See the [news from Build 2019](https://blogs.windows.com/msedgedev/2019/05/06/edge-chromium-build-2019-pwa-ie-mode-devtools/#2QJF4u970WjQ2Sv7.97) for more information.
## See Also
-[What's New in Windows Server, version 1903](https://docs.microsoft.com/en-us/windows-server/get-started/whats-new-in-windows-server-1903): New and updated features in Windows Server.
+[What's New in Windows Server, version 1903](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1903): New and updated features in Windows Server.
[Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
[What's new in Windows 10](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
+ 
+ 
+ 
+ 
+ 
+ 
+ ++
+ ++
+ ++
+
+ 
+
+ 
+
+ 
-
+
+
+Once the hardware IDs have been captured from existing devices, they can be uploaded through a variety of means. See the detailed documentation for each available mechanism.
- [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot). This is the preferred mechanism for all customers.
-
- [Partner Center](https://msdn.microsoft.com/partner-center/autopilot). This is used by CSP partners to register devices on behalf of customers.
-
- [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa). This is typically used by small and medium businesses (SMBs) who manage their devices using Microsoft 365 Business.
+- [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles). You might already be using MSfB to manage your apps and settings.
+
+A summary of each platform's capabilities is provided below.
+
+
+ 
-When initially deploying new Windows devices, Windows Autopilot leverages the OEM-optimized version of Windows 10 that is preinstalled on the device, saving organizations the effort of having to maintain custom images as well as drivers for every model of device being used. Instead of re-imaging the device, that existing Windows 10 installation can be transformed into a “business-ready” state, applying settings and policies, installing apps, and even changing the edition of Windows 10 being used (e.g. from Windows 10 Pro to Windows 10 Enterprise, to support advanced features).
+When initially deploying new Windows devices, Windows Autopilot leverages the OEM-optimized version of Windows 10 that is preinstalled on the device, saving organizations the effort of having to maintain custom images and drivers for every model of device being used. Instead of re-imaging the device, your existing Windows 10 installation can be transformed into a “business-ready” state, applying settings and policies, installing apps, and even changing the edition of Windows 10 being used (e.g. from Windows 10 Pro to Windows 10 Enterprise) to support advanced features.
-Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intune, Windows Update for Business, System Center Configuration Manager, and other similar tools. Windows Autopilot can help with device re-purposing scenarios, leveraging Windows Autopilot Reset to quickly prepare a device for a new user, as well as in break/fix scenarios to enable a device to quickly be brought back to a business-ready state.
+Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intune, Windows Update for Business, System Center Configuration Manager, and other similar tools. Windows Autopilot can also be used to re-purpose a device by leveraging Windows Autopilot Reset to quickly prepare a device for a new user, or in break/fix scenarios to enable a device to quickly be brought back to a business-ready state.
+
+Windows Autopilot enables you to:
+* Automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join). See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options.
+* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](windows-autopilot-requirements-configuration.md)).
+* Restrict the Administrator account creation.
+* Create and auto-assign devices to configuration groups based on a device's profile.
+* Customize OOBE content specific to the organization.
## Windows Autopilot walkthrough
@@ -47,32 +53,13 @@ Traditionally, IT pros spend a lot of time building and customizing images that
From the user's perspective, it only takes a few simple operations to make their device ready to use.
-From the IT pro's perspective, the only interaction required from the end user is to connect to a network and to verify their credentials. Everything past that is automated.
+From the IT pro's perspective, the only interaction required from the end user is to connect to a network and to verify their credentials. Everything beyond that is automated.
## Requirements
-Windows 10 version 1703 or higher is required to use Windows Autopilot. The following editions are supported:
-- Pro
-- Pro Education
-- Pro for Workstations
-- Enterprise
-- Education
-
-See [Windows Autopilot requirements](windows-autopilot-requirements.md) for detailed information on configuration, network, and licensing requirements.
-
-## Windows Autopilot Scenarios
-
-Windows Autopilot enables you to pre-register devices to your organization so that they will be fully configured with no additional intervention required by the user.
-
-Windows Autopilot enables you to:
-* Automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join). See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options.
-* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](windows-autopilot-requirements-configuration.md)).
-* Restrict the Administrator account creation.
-* Create and auto-assign devices to configuration groups based on a device's profile.
-* Customize OOBE content specific to the organization.
-
-See [Windows Autopilot scenarios](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-scenarios) for more information about scenarios for using Windows Autopilot.
+Windows 10 version 1703 or higher is required to use Windows Autopilot. See [Windows Autopilot requirements](windows-autopilot-requirements.md) for detailed information on software, configuration, network, and licensing requirements.
## Related topics
-[Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/en-us/intune/enrollment-autopilot)
+[Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot)