diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 761b93800a..11b7ed4a4f 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -14867,9 +14867,14 @@
"redirect_document_id": true
},
{
- "source_path": "windows/security/threat-protection/windows-defender-atp/api-power-bi.md",
- "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/api-power-bi",
- "redirect_document_id": true
+"source_path": "windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/api-power-bi",
+"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md",
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index ed619bd257..fdb6615bf6 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 05/21/2019
+ms.date: 08/16/2019
ms.reviewer:
manager: dansimp
---
@@ -2418,13 +2418,11 @@ The following list shows the supported values:
To validate this policy:
-1. Enable the policy ensure the device is on a cellular network.
+1. Enable the policy and ensure the device is on a cellular network.
2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
- - `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f`
-
- - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""`
-
-3. Verify that any downloads that are above the download size limit will complete without being paused.
+ ```TShell
+ exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I'
+ ```
@@ -2472,11 +2470,6 @@ Added in Windows 10, version 1703. Specifies whether to ignore the MO download
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
-
- - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""`
-
-3. Verify that any downloads that are above the download size limit will complete without being paused.
-
The following list shows the supported values:
@@ -2489,7 +2482,10 @@ The following list shows the supported values:
To validate this policy:
1. Enable the policy and ensure the device is on a cellular network.
-2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
+2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
+ ```TShell
+ exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I'
+ ```
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index 4df1a782b7..cda79baf8e 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -4,10 +4,9 @@ description: WSUS allows companies to defer, selectively approve, choose when de
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-author: greg-lindsay
+author: jaimeo
ms.localizationpriority: medium
-ms.author: greglin
-ms.date: 10/16/2017
+ms.author: jaimeo
ms.reviewer:
manager: laurawi
ms.topic: article
@@ -23,9 +22,8 @@ ms.topic: article
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
>[!IMPORTANT]
->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
->
->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy or the registry. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
+
WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that System Center Configuration Manager provides.
@@ -35,35 +33,23 @@ When you choose WSUS as your source for Windows updates, you use Group Policy to
## Requirements for Windows 10 servicing with WSUS
-To be able to use WSUS to manage and deploy Windows 10 feature updates, you must have WSUS 4.0, which is available in the Windows Server 2012 R2 and Windows Server 2012 operating systems. In addition to WSUS 4.0, you must install the [KB3095113](https://support.microsoft.com/kb/3095113) and [KB3159706](https://support.microsoft.com/kb/3159706) patches on the WSUS server.
+To be able to use WSUS to manage and deploy Windows 10 feature updates, you must use a supported WSUS version:
+- WSUS 10.0.14393 (role in Windows Server 2016)
+- WSUS 10.0.17763 (role in Windows Server 2019)
+- WSUS 6.2 and 6.3 (role in Windows Server 2012 and Windows Server 2012 R2)
+- KB 3095113 and KB 3159706 (or an equivalent update) must be installed on WSUS 6.2 and 6.3.
+
+> [!IMPORTANT]
+> Both [KB 3095113](https://support.microsoft.com/kb/3095113) and [KB 3159706](https://support.microsoft.com/kb/3159706) are included in the **Security Monthly Quality Rollup** starting in July 2017. This means you might not see KB 3095113 and KB 3159706 as installed updates since they might have been installed with a rollup. However, if you need either of these updates, we recommend installing a **Security Monthly Quality Rollup** released after **October 2017** since they contain an additional WSUS update to decrease memory utilization on WSUS's clientwebservice.
+>If you have synced either of these updates prior to the security monthly quality rollup, you can experience problems. To recover from this, see [How to Delete Upgrades in WSUS](https://blogs.technet.microsoft.com/wsus/2016/01/29/how-to-delete-upgrades-in-wsus/).
+
## WSUS scalability
To use WSUS to manage all Windows updates, some organizations may need access to WSUS from a perimeter network, or they might have some other complex scenario. WSUS is highly scalable and configurable for organizations of any size or site layout. For specific information about scaling WSUS, including upstream and downstream server configuration, branch offices, WSUS load balancing, and other complex scenarios, see [Choose a Type of WSUS Deployment](https://technet.microsoft.com/library/cc720448%28v=ws.10%29.aspx).
-## Express Installation Files
-With Windows 10, quality updates will be larger than traditional Windows Updates because they’re cumulative. To manage the bandwidth clients downloading large updates like these will need, WSUS has a feature called *Express Installation Files*.
-
- At a binary level, files associated with updates may not change a lot. In fact, with cumulative quality updates, most of the content will be from previous updates. Rather than downloading the entire update when only a small percentage of the payload is actually different, Express Installation Files analyze the differences between the new files associated with an update and the existing files on the client. This approach significantly reduces the amount of bandwidth used because only a fraction of the update content is actually delivered.
-
- **To configure WSUS to download Express Update Files**
-
-1. Open the WSUS Administration Console.
-
-2. In the navigation pane, go to *Your_Server*\\**Options**.
-
-3. In the **Options** section, click **Update Files and Languages**.
-
- 
-
-4. In the **Update Files and Languages** dialog box, select **Download express installation files**.
-
- 
-
- >[!NOTE]
- >Because Windows 10 updates are cumulative, enabling Express Installation Files when WSUS is configured to download Windows 10 updates will significantly increase the amount of disk space that WSUS requires. Alternatively, when using Express Installation Files for previous versions of Windows, the feature’s positive effects aren’t noticeable because the updates aren’t cumulative.
## Configure automatic updates and update service location
@@ -71,11 +57,11 @@ When using WSUS to manage updates on Windows client devices, start by configurin
**To configure the Configure Automatic Updates and Intranet Microsoft Update Service Location Group Policy settings for your environment**
-1. Open GPMC.
+1. Open Group Policy Management Console (gpmc.msc).
-2. Expand Forest\Domains\\*Your_Domain*.
+2. Expand *Forest\Domains\\*Your_Domain**.
-3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
+3. Right-click **Your_Domain**, and then select **Create a GPO in this domain, and Link it here**.
@@ -99,13 +85,13 @@ When using WSUS to manage updates on Windows client devices, start by configurin
> [!NOTE]
- > ?There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx).
+ > There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx).
-10. Right-click the **Specify intranet Microsoft update service location** setting, and then click **Edit**.
+10. Right-click the **Specify intranet Microsoft update service location** setting, and then select **Edit**.
11. In the **Specify intranet Microsoft update service location** dialog box, select **Enable**.
-12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type http://Your_WSUS_Server_FQDN:PortNumber, and then click **OK**.
+12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type http://Your_WSUS_Server_FQDN:PortNumber, and then select **OK**.
>[!NOTE]
>The URL `http://CONTOSO-WSUS1.contoso.com:8530` in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance.
@@ -113,7 +99,7 @@ When using WSUS to manage updates on Windows client devices, start by configurin
>[!NOTE]
- >The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. If you’re unsure which port WSUS is using for client communication, right-click the WSUS Administration site in IIS Manager, and then click **Edit Bindings**.
+ >The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. (The other options are 80 and 443; no other ports are supported.)
As Windows clients refresh their computer policies (the default Group Policy refresh setting is 90 minutes and when a computer restarts), computers start to appear in WSUS. Now that clients are communicating with the WSUS server, create the computer groups that align with your deployment rings.
@@ -139,6 +125,7 @@ You can use computer groups to target a subset of devices that have specific qua
Now that the groups have been created, add the computers to the computer groups that align with the desired deployment rings. You can do this through [Group Policy](#wsus-gp) or manually by using the [WSUS Administration Console](#wsus-admin).
+
## Use the WSUS Administration Console to populate deployment rings
Adding computers to computer groups in the WSUS Administration Console is simple, but it could take much longer than managing membership through Group Policy, especially if you have many computers to add. Adding computers to computer groups in the WSUS Administration Console is called *server-side targeting*.
@@ -205,7 +192,7 @@ Now that WSUS is ready for client-side targeting, complete the following steps t
>[!TIP]
>When using client-side targeting, consider giving security groups the same names as your deployment rings. Doing so simplifies the policy-creation process and helps ensure that you don’t add computers to the incorrect rings.
-1. Open GPMC.
+1. Open Group Policy Management Console (gpmc.msc).
2. Expand Forest\Domains\\*Your_Domain*.
@@ -223,10 +210,13 @@ Now that WSUS is ready for client-side targeting, complete the following steps t
8. In the **Enable client-side targeting** dialog box, select **Enable**.
-9. In the **Target group name for this computer** box, type **Ring 4 Broad Business Users**. This is the name of the deployment ring in WSUS to which these computers will be added.
+9. In the **Target group name for this computer** box, type *Ring 4 Broad Business Users*. This is the name of the deployment ring in WSUS to which these computers will be added.
+> [!WARNING]
+> The target group name must match the computer group name.
+
10. Close the Group Policy Management Editor.
Now you’re ready to deploy this GPO to the correct computer security group for the **Ring 4 Broad Business Users** deployment ring.
@@ -248,7 +238,8 @@ The next time the clients in the **Ring 4 Broad Business Users** security group
For clients that should have their feature updates approved as soon as they’re available, you can configure Automatic Approval rules in WSUS.
>[!NOTE]
->WSUS respects the client’s servicing branch. If you approve a feature update while it is still Current Branch (CB), WSUS will install the update only on PCs that are in the CB servicing branch. When Microsoft releases the build for Current Branch for Business (CBB), the PCs in the CBB servicing branch will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
+>WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for Semi-Annual Channel, the devices in the Semi-Annual Channel will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
+
**To configure an Automatic Approval rule for Windows 10 feature updates and approve them for the Ring 3 Broad IT deployment ring**
@@ -277,13 +268,18 @@ For clients that should have their feature updates approved as soon as they’re
9. In the **Automatic Approvals** dialog box, click **OK**.
>[!NOTE]
- >WSUS does not honor any existing month/week/day deferral settings for CB or CBB. That said, if you’re using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait.
+ >WSUS does not honor any existing month/week/day [deferral settings](waas-configure-wufb.md#configure-when-devices-receive-feature-updates). That said, if you’re using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait.
Now, whenever Windows 10 feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week.
+> [!WARNING]
+> The auto approval rule runs after synchronization occurs. This means that the *next* upgrade for each Windows 10 version will be approved. If you select **Run Rule**, all possible updates that meet the criteria will be approved, potentially including older updates that you don't actualy want--which can be a problem when the download sizes are very large.
+
## Manually approve and deploy feature updates
-You can manually approve updates and set deadlines for installation within the WSUS Administration Console, as well. To simplify the manual approval process, start by creating a software update view that contains only Windows 10 updates.
+You can manually approve updates and set deadlines for installation within the WSUS Administration Console, as well. It might be best to approve update rules manually after your pilot deployment has been updated.
+
+To simplify the manual approval process, start by creating a software update view that contains only Windows 10 updates.
**To approve and deploy feature updates manually**
@@ -301,7 +297,7 @@ You can manually approve updates and set deadlines for installation within the W
-Now that you have the All Windows 10 Upgrades view, complete the following steps to manually approve an update for the **Ring 4 Broad Business Users** deployment ring:
+Now that you have the **All Windows 10 Upgrades** view, complete the following steps to manually approve an update for the **Ring 4 Broad Business Users** deployment ring:
1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates\All Windows 10 Upgrades.
diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md
index 6524be0563..1edad940a4 100644
--- a/windows/deployment/update/wufb-compliancedeadlines.md
+++ b/windows/deployment/update/wufb-compliancedeadlines.md
@@ -105,13 +105,13 @@ Once the device is in the pending restart state, it will attempt to restart the
-#### Suggested configuration {OK}
+#### Suggested configuration
|Policy|Location|3-day compliance|5-day compliance|7-day compliance|
|-|-|-|-|-|
|Specify deadline before auto-restart for update installation| GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadline before auto-restart for update installation |State: Enabled
**Specify the number of days before pending restart will automatically be executed outside of active hours:** 2| State: Enabled
**Specify the number of days before pending restart will automatically be executed outside of active hours:** 3 | State: Enabled
**Specify the number of days before pending restart will automatically be executed outside of active hours:** 4|
-#### Controlling notification experience for deadline {OK}
+#### Controlling notification experience for deadline
|Policy| Location|Suggested Configuration |
|-|-|-|
diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md
index b413218f3d..a34a0b7891 100644
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@@ -28,7 +28,7 @@ ms.topic: article
## About SetupDiag
-Current version of SetupDiag: 1.6.0.0
+Current version of SetupDiag: 1.6.0.42
>Always be sure to run the most recent version of SetupDiag, so that can access new functionality and fixes to known issues.
SetupDiag is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful.
@@ -73,6 +73,8 @@ The [Release notes](#release-notes) section at the bottom of this topic has info
| /Verbose | - This optional parameter will output much more data to a log file. By default, SetupDiag will only produce a log file entry for serious errors. Using **/Verbose** will cause SetupDiag to always produce an additional log file with debugging details. These details can be useful when reporting a problem with SetupDiag.
|
| /NoTel | - This optional parameter tells SetupDiag.exe not to send diagnostic telemetry to Microsoft.
|
| /AddReg | - This optional parameter instructs SetupDiag.exe to add failure information to the registry in offline mode. By default, SetupDiag will add failure information to the registry in online mode only. Registry data is added to the following location on the system where SetupDiag is run: **HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag**.
|
+| /RegPath | - This optional parameter instructs SetupDiag.exe to add failure information to the registry using the specified path. If this parameter is not specified the default path is **HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag**.
+
|
Note: The **/Mode** parameter is deprecated in version 1.4.0.0 of SetupDiag.
- In previous versions, this command was used with the LogsPath parameter to specify that SetupDiag should run in an offline manner to analyze a set of log files that were captured from a different computer. In version 1.4.0.0 when you specify /LogsPath then SetupDiag will automatically run in offline mode, therefore the /Mode parameter is not needed.
@@ -318,7 +320,7 @@ Each rule name and its associated unique rule identifier are listed with a descr
## Release notes
-08/08/2019 - SetupDiag v1.6.0.0 is released with 60 rules, as a standalone tool available from the Download Center.
+08/08/2019 - SetupDiag v1.6.0.42 is released with 60 rules, as a standalone tool available from the Download Center.
- Log detection performance is improved. What used to take up to a minute should take around 10 seconds or less.
- Added Setup Operation and Setup Phase information to both the results log and the registry information.
- This is the last Operation and Phase that Setup was in when the failure occurred.
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index e2fa73f5c7..d507296ac2 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -9,32 +9,34 @@ ms.sitesec: library
ms.localizationpriority: medium
author: medgarmedgar
ms.author: v-medgar
-ms.date: 7/9/2019
+ms.date: 8/23/2019
---
-# Manage connections from Windows operating system components to Microsoft services using Microsoft Intune MDM Server
+# Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server
**Applies to**
- Windows 10 Enterprise 1903 version and newer
-You can use Microsoft InTune with MDM CSPs and custom [OMA URIs](https://docs.microsoft.com/intune/custom-settings-windows-10) to minimize connections from Windows to Microsoft services, or to configure particular privacy settings. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
-To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy.
+This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
-You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
+>[!IMPORTANT]
+>- The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic)
+> - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
+> - There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 devices.
+>- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features.
+>- To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy.
+>- The **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings.
-Note, there is some traffic which is required (i.e. "whitelisted") for the operation of Windows and the Microsoft InTune based management. This traffic includes CRL and OCSP network traffic which will show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. Additional whitelisted traffic specifically for MDM managed devices includes Windows Notification Service related traffic as well as some specific Microsoft InTune and Windows Update related traffic.
+For more information on Microsoft Intune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/).
-For more information on Microsoft InTune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/).
+For detailed information about managing network connections to Microsoft services using Windows Settings, Group Policies and Registry settings see [Manage connections from Windows 10 operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services).
-For detailed information about managing network connections to Microsoft services using Registries, Group Policies, or UI see [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services).
+We are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp**@**microsoft.com**.
-The endpoints for the MDM “whitelisted” traffic are in the [Whitelisted Traffic](#bkmk-mdm-whitelist).
-
-
-### Settings for Windows 10 Enterprise edition 1903 and newer
+## Settings for Windows 10 Enterprise edition 1903 and newer
The following table lists management options for each setting.
@@ -150,7 +152,7 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt
1. Windows Update Service URL - [Update/UpdateServiceUrl](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-updateserviceurl). Allows the device to check for updates from a WSUS server instead of Microsoft Update. **Set to String** with the Value:
1. **\\$CmdID$\- \\chr\text/plain\\ \./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl\\http://abcd-srv:8530\
\**
-### Allowed traffic ("Whitelisted traffic") for Microsoft InTune / MDM configurations
+### Allowed traffic for Microsoft Intune / MDM configurations
|**Allowed traffic endpoints** |
| --- |
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index f4e4106726..33f7ec2b4b 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -1,5 +1,5 @@
---
-title: Manage connections from Windows operating system components to Microsoft services (Windows 10)
+title: Manage connections from Windows 10 operating system components to Microsoft services
description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider.
ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
ms.reviewer:
@@ -14,10 +14,10 @@ ms.author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 05/16/2019
+ms.date: 8/23/2019
---
-# Manage connections from Windows operating system components to Microsoft services
+# Manage connections from Windows 10 operating system components to Microsoft services
**Applies to**
@@ -25,29 +25,24 @@ ms.date: 05/16/2019
- Windows Server 2016
- Windows Server 2019
-If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
+This article describes the network connections that Windows 10 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
-Learn about the network connections that Windows components make to Microsoft in addition to the privacy settings that affect the data which is shared with either Microsoft or apps and how they can be managed by an IT Pro.
+Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
-If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
+>[!IMPORTANT]
+> - The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic)
+> - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
+> - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features.
+> - It is recommended that you restart a device after making configuration changes to it.
+> - The **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
-You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
+To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm)
-To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887), but **before application please ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors. This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state.
-Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure you've chosen the right settings configuration for your environment before applying.
-You should not extract this package to the windows\\system32 folder because it will not apply correctly.
+We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp**@**microsoft.com**.
-Applying the Windows Restricted Traffic Limited Functionality Baseline is the same as applying each setting covered in this article.
-It is recommended that you restart a device after making configuration changes to it.
-Note that **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
+## Management options for each setting
-To use Microsoft InTune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm).
-
-We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
-
-## Management options for each setting
-
-The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections.
+The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections
### Settings for Windows 10 Enterprise edition
@@ -230,7 +225,7 @@ For more information, see [Automatic Root Certificates Update Configuration](htt
Although not recommended, you can turn off Automatic Root Certificates Update, which also prevents updates to the disallowed certificate list and the pin rules list.
> [!CAUTION]
-> By not automatically downloading the root certificates, the device might have not been able to connect to some websites.
+> By not automatically downloading the root certificates the device may not be able to connect to some websites.
For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server 2016 Server Core:
@@ -260,7 +255,7 @@ On Windows Server 2016 Nano Server:
- Create the registry path **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\AuthRoot** and then add a REG_DWORD registry setting, named **DisableRootAutoUpdate**, with a value of 1.
>[!NOTE]
->CRL and OCSP network traffic is currently whitelisted and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign.
+>CRL and OCSP network traffic is currently Allowed Traffic and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign.
### 2. Cortana and Search
@@ -390,7 +385,7 @@ Windows Insider Preview builds only apply to Windows 10 and are not available fo
> [!NOTE]
-> If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for zero exhaust) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Full**. Although the diagnostic data level may initially appear as **Basic**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Full**.
+> If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for Restricted Traffic) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Full**. Although the diagnostic data level may initially appear as **Basic**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Full**.
To turn off Insider Preview builds for a released version of Windows 10:
@@ -1260,7 +1255,7 @@ To turn off **Let your apps use your trusted devices (hardware you've already co
### 18.16 Feedback & diagnostics
-In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft.
+In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
To change how frequently **Windows should ask for my feedback**:
@@ -1584,7 +1579,7 @@ You can disconnect from the Microsoft Antimalware Protection Service.
>[!IMPORTANT]
>**Required Steps BEFORE setting the Windows Defender Group Policy or RegKey on Windows 10 version 1903**
>1. Ensure Windows and Windows Defender are fully up to date.
->2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to >the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make >the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link >and then scroll down to the Tamper Protection toggle to set it to **Off**.
+>2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link and then scroll down to the Tamper Protection toggle to set it to **Off**.
- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** and then select **Disabled** from the drop-down box named **Join Microsoft MAPS**
@@ -1623,7 +1618,7 @@ You can stop downloading **Definition Updates**:
- **Remove** the **DefinitionUpdateFileSharesSources** reg value if it exists under **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Signature Updates**
-You can turn off **Malicious Software Reporting Tool diagnostic data**:
+You can turn off **Malicious Software Reporting Tool (MSRT) diagnostic data**:
- Set the REG_DWORD value **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to **1**.
@@ -1881,7 +1876,16 @@ For China releases of Windows 10 there is one additional Regkey to be set to pre
- Add a REG_DWORD value named **HapDownloadEnabled** to **HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LexiconUpdate\\loc_0804** and set the value to 0.
+
+### Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline
+
+|**Allowed traffic endpoints** |
+| --- |
+|activation-v2.sls.microsoft.com/*|
+|crl.microsoft.com/pki/crl/*|
+|ocsp.digicert.com/*|
+|www.microsoft.com/pkiops/*|
To learn more, see [Device update management](https://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](https://technet.microsoft.com/library/cc720539.aspx).
diff --git a/windows/release-information/resolved-issues-windows-10-1507.yml b/windows/release-information/resolved-issues-windows-10-1507.yml
index efd586d8b9..6eb7bd7645 100644
--- a/windows/release-information/resolved-issues-windows-10-1507.yml
+++ b/windows/release-information/resolved-issues-windows-10-1507.yml
@@ -39,7 +39,6 @@ sections:
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
See details > | OS Build 10240.18132
February 12, 2019
KB4487018 | Resolved
KB4493475 | April 09, 2019
10:00 AM PT |
MSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
See details > | OS Build 10240.18094
January 08, 2019
KB4480962 | Resolved
KB4493475 | April 09, 2019
10:00 AM PT |
Error 1309 when installing/uninstalling MSI or MSP files
Users may receive \"Error 1309\" while installing or uninstalling certain types of MSI and MSP files.
See details > | OS Build 10240.18132
February 12, 2019
KB4487018 | Resolved
KB4489872 | March 12, 2019
10:00 AM PT |
- Internet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
See details > | OS Build 10240.18132
February 12, 2019
KB4487018 | Resolved
KB4491101 | February 21, 2019
02:00 PM PT |
First character of Japanese era name not recognized
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
See details > | OS Build 10240.18132
February 12, 2019
KB4487018 | Resolved
KB4489872 | March 12, 2019
10:00 AM PT |
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
See details > | OS Build 10240.18158
March 12, 2019
KB4489872 | Resolved
KB4493475 | April 09, 2019
10:00 AM PT |
Applications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
See details > | OS Build 10240.18132
February 12, 2019
KB4487018 | Resolved
KB4489872 | March 12, 2019
10:00 AM PT |
@@ -97,7 +96,6 @@ sections:
| Details | Originating update | Status | History |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4493475.
Back to top | OS Build 10240.18132
February 12, 2019
KB4487018 | Resolved
KB4493475 | Resolved:
April 09, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PT |
Error 1309 when installing/uninstalling MSI or MSP filesAfter installing KB4487018, users may receive “Error 1309” while installing or uninstalling certain types of MSI and MSP files.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue is resolved in KB4489872.
Back to top | OS Build 10240.18132
February 12, 2019
KB4487018 | Resolved
KB4489872 | Resolved:
March 12, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PT |
- Internet Explorer may fail to load imagesAfter installing KB4487018, Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4491101.
Back to top | OS Build 10240.18132
February 12, 2019
KB4487018 | Resolved
KB4491101 | Resolved:
February 21, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PT |
First character of Japanese era name not recognizedAfter installing KB4487018, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4489872.
Back to top | OS Build 10240.18132
February 12, 2019
KB4487018 | Resolved
KB4489872 | Resolved:
March 12, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PT |
| Applications using Microsoft Jet database and Access 95 file format stop working Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4489872.
Back to top | OS Build 10240.18132
February 12, 2019
KB4487018 | Resolved
KB4489872 | Resolved:
March 12, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PT |
diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
index cca3c91d12..fb76299a24 100644
--- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
+++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
@@ -66,7 +66,6 @@ sections:
Internet Explorer 11 and apps using the WebBrowser control may fail to render
JavaScript may fail to render as expected in Internet Explorer 11 and in apps using JavaScript or the WebBrowser control.
See details > | OS Build 14393.3085
July 09, 2019
KB4507460 | Resolved
KB4512517 | August 13, 2019
10:00 AM PT |
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
See details > | OS Build 14393.3025
June 11, 2019
KB4503267 | Resolved External
| August 09, 2019
07:03 PM PT |
Apps and scripts using the NetQueryDisplayInformation API may fail with error
Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data.
See details > | OS Build 14393.3053
June 18, 2019
KB4503294 | Investigating
| August 01, 2019
05:00 PM PT |
- SCVMM cannot enumerate and manage logical switches deployed on the host
For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host.
See details > | OS Build 14393.2639
November 27, 2018
KB4467684 | Resolved
KB4507459 | July 16, 2019
10:00 AM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details > | OS Build 14393.2724
January 08, 2019
KB4480961 | Mitigated
| April 25, 2019
02:00 PM PT |
Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM
Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.
See details > | OS Build 14393.2608
November 13, 2018
KB4467691 | Mitigated
| February 19, 2019
10:00 AM PT |
Cluster service may fail if the minimum password length is set to greater than 14
The cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters.
See details > | OS Build 14393.2639
November 27, 2018
KB4467684 | Mitigated
| April 25, 2019
02:00 PM PT |
@@ -117,7 +116,6 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
- SCVMM cannot enumerate and manage logical switches deployed on the hostFor hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host after installing KB4467684.
Additionally, if you do not follow the best practices, a stop error may occur in vfpext.sys on the hosts.
Affected platforms: - Client: Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server 2016
Resolution: This issue was resolved in KB4507459.
Back to top | OS Build 14393.2639
November 27, 2018
KB4467684 | Resolved
KB4507459 | Resolved:
July 16, 2019
10:00 AM PT
Opened:
November 27, 2018
10:00 AM PT |
Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAMAfter installing KB4467691, Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.
Affected platforms: - Client: Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server 2016
Workaround: Restart the affected machine using the Unified Extensible Firmware Interface (UEFI). Disable Secure Boot and then restart.
If BitLocker is enabled on your machine, you may have to go through BitLocker recovery after Secure Boot has been disabled.
Next steps: Lenovo and Fujitsu are aware of this issue. Please contact your OEM to ask if there is a firmware update available for your device.
Back to top | OS Build 14393.2608
November 13, 2018
KB4467691 | Mitigated
| Last updated:
February 19, 2019
10:00 AM PT
Opened:
November 13, 2018
10:00 AM PT |
Cluster service may fail if the minimum password length is set to greater than 14After installing KB4467684, the cluster service may fail to start with the error \"2245 (NERR_PasswordTooShort)\" if the Group Policy \"Minimum Password Length\" is configured with greater than 14 characters.
Affected platforms: - Client: Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server 2016
Workaround: Set the domain default \"Minimum Password Length\" policy to less than or equal to 14 characters.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 14393.2639
November 27, 2018
KB4467684 | Mitigated
| Last updated:
April 25, 2019
02:00 PM PT
Opened:
November 27, 2018
10:00 AM PT |
diff --git a/windows/release-information/status-windows-10-1703.yml b/windows/release-information/status-windows-10-1703.yml
index 0e11306afb..dbe7b4e91e 100644
--- a/windows/release-information/status-windows-10-1703.yml
+++ b/windows/release-information/status-windows-10-1703.yml
@@ -20,6 +20,12 @@ sections:
text: "
Find information on known issues for Windows 10, version 1703. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
+
+Current status as of August 23, 2019:
+ The Enterprise and Education editions of Windows 10, version 1703 (the Windows 10 Creators Update) will reach end of life on October 9, 2019. The Home, Pro, Pro for Workstations, and IoT Core editions reached end of service on October 8, 2018. There is no extended support available for any edition of Windows 10, version 1703. Therefore, it will no longer be supported after October 9, 2019 and will not receive monthly security and quality updates containing protections from the latest security threats. To continue receiving security and quality updates, Microsoft recommends that you update your devices to the latest version of Windows 10. For more information on end of service dates and currently supported versions of Windows 10, see the Windows lifecycle fact sheet.
+ |
+
"
- items:
diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
index 4c3dfc4364..5a2c3b8df0 100644
--- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
+++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
@@ -118,7 +118,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
- Devices with some Asian language packs installed may receive an errorAfter installing the April 2019 Cumulative Update ( KB4493509), devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
- Server: Windows Server, version 1809; Windows Server 2019
Workaround: - Uninstall and reinstall any recently added language packs. For instructions, see \"Manage the input and display language settings in Windows 10\".
- Click Check for Updates and install the April 2019 Cumulative Update. For instructions, see \"Update Windows 10\".
Note: If reinstalling the language pack does not mitigate the issue, reset your PC as follows: - Go to Settings app -> Recovery.
- Click on Get Started under \"Reset this PC\" recovery option.
- Select \"Keep my Files\".
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 17763.437
April 09, 2019
KB4493509 | Mitigated
| Last updated:
May 03, 2019
10:59 AM PT
Opened:
May 02, 2019
04:36 PM PT |
+ Devices with some Asian language packs installed may receive an errorAfter installing the April 2019 Cumulative Update ( KB4493509), devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
- Server: Windows Server, version 1809; Windows Server 2019
Workaround: - Uninstall and reinstall any recently added language packs. For instructions, see \"Manage the input and display language settings in Windows 10\".
- Click Check for Updates and install the April 2019 Cumulative Update. For instructions, see \"Update Windows 10\".
Note: If reinstalling the language pack does not mitigate the issue, reset your PC as follows: - Go to Settings app -> Recovery.
- Click on Get Started under \"Reset this PC\" recovery option.
- Select \"Keep my Files\".
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 17763.437
April 09, 2019
KB4493509 | Mitigated
| Last updated:
May 03, 2019
10:59 AM PT
Opened:
May 02, 2019
04:36 PM PT |
"
diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml
index 9b7700d02e..1c6c129a90 100644
--- a/windows/release-information/status-windows-10-1903.yml
+++ b/windows/release-information/status-windows-10-1903.yml
@@ -65,7 +65,7 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
- Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language was changed between updates
See details > | OS Build 18362.116
May 20, 2019
KB4505057 | Investigating
| August 20, 2019
10:50 AM PT |
+ Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language was changed between updates
See details > | OS Build 18362.116
May 20, 2019
KB4505057 | Investigating
| August 20, 2019
11:06 AM PT |
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
See details > | OS Build 18362.295
August 13, 2019
KB4512508 | Investigating
| August 17, 2019
01:49 PM PT |
Updates may fail to install and you may receive Error 0x80073701
Installation of updates may fail and you may receive an error, \"Updates Failed, There were problems installing some updates, but we'll try again later\" and \"Error 0x80073701.\"
See details > | OS Build 18362.145
May 29, 2019
KB4497935 | Investigating
| August 16, 2019
04:28 PM PT |
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
See details > | OS Build 18362.145
May 29, 2019
KB4497935 | Investigating
| August 13, 2019
06:59 PM PT |
@@ -130,7 +130,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Windows Sandbox may fail to start with error code “0x80070002” Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.
Affected platforms: - Client: Windows 10, version 1903
Next steps: We are working on a resolution and estimates a solution will be available in late August.
Back to top | OS Build 18362.116
May 20, 2019
KB4505057 | Investigating
| Last updated:
August 20, 2019
10:50 AM PT
Opened:
May 24, 2019
04:20 PM PT |
+ | Windows Sandbox may fail to start with error code “0x80070002” Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.
Affected platforms: - Client: Windows 10, version 1903
Next steps: We are working on a resolution and estimates a solution will be available in late August.
Back to top | OS Build 18362.116
May 20, 2019
KB4505057 | Investigating
| Last updated:
August 20, 2019
11:06 AM PT
Opened:
May 24, 2019
04:20 PM PT |
| Intermittent loss of Wi-Fi connectivity Some older computers may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).
To safeguard your upgrade experience, we have applied a hold on devices with this Qualcomm driver from being offered Windows 10, version 1903, until the updated driver is installed.
Affected platforms: - Client: Windows 10, version 1903
Workaround: Before updating to Windows 10, version 1903, you will need to download and install an updated Wi-Fi driver from your device manufacturer (OEM). Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Mitigated External
| Last updated:
August 01, 2019
08:44 PM PT
Opened:
May 21, 2019
07:13 AM PT |
| Gamma ramps, color profiles, and night light settings do not apply in some cases Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.
Microsoft has identified some scenarios in which these features may have issues or stop working, for example: - Connecting to (or disconnecting from) an external monitor, dock, or projector
- Rotating the screen
- Updating display drivers or making other display mode changes
- Closing full screen applications
- Applying custom color profiles
- Running applications that rely on custom gamma ramps
Affected platforms: - Client: Windows 10, version 1903
Workaround: If you find that your night light has stopped working, try turning the night light off and on, or restarting your computer. For other color setting issues, restart your computer to correct the issue.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Mitigated
| Last updated:
August 01, 2019
06:27 PM PT
Opened:
May 21, 2019
07:28 AM PT |
| Display brightness may not respond to adjustments Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers. After updating to Windows 10, version 1903, brightness settings may sometime appear as if changes applied took effect, yet the actual display brightness doesn't change.
To safeguard your update experience, we have applied a compatibility hold on devices with certain Intel drivers from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms: - Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed. Please ensure you have applied the resolving update before attempting to update to the Windows 10 May 2019 Update (version 1903). Please note, it can take up to 48 hours for the safeguard to be removed.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
KB4505903 | Resolved:
July 26, 2019
02:00 PM PT
Opened:
May 21, 2019
07:56 AM PT |
diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
index 15f5bd4ccc..a57a74739b 100644
--- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
+++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
@@ -60,10 +60,10 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
+ Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV
Windows updates that are SHA-2 signed are not available with Symantec or Norton antivirus program installed
See details > | August 13, 2019
KB4512506 | Mitigated External
| August 23, 2019
04:25 PM PT |
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details > | June 11, 2019
KB4503292 | Resolved
KB4512514 | August 17, 2019
02:00 PM PT |
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
See details > | August 13, 2019
KB4512506 | Resolved
KB4517297 | August 16, 2019
02:00 PM PT |
IA64 and x64 devices may fail to start after installing updates
After installing updates released on or after August 13, 2019, IA64 and x64 devices using EFI Boot may fail to start.
See details > | August 13, 2019
KB4512506 | Mitigated
| August 17, 2019
12:59 PM PT |
- Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV
Windows udates that are SHA-2 signed are not available with Symantec or Norton antivirus program installed
See details > | August 13, 2019
KB4512506 | Investigating
| August 16, 2019
04:28 PM PT |
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
See details > | April 09, 2019
KB4493472 | Resolved External
| August 13, 2019
06:59 PM PT |
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
See details > | June 11, 2019
KB4503292 | Resolved External
| August 09, 2019
07:03 PM PT |
@@ -81,9 +81,9 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
+ | Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV Symantec identified the potential for a negative interaction that may occur after Windows Updates code signed with SHA-2 only certificates are installed on devices with Symantec or Norton antivirus programs installed. The software may not correctly identify files included in the update as code signed by Microsoft, putting the device at risk for a delayed or incomplete update.
Affected platforms: - Client: Windows 7 SP1
- Server: Windows Server 2008 R2 SP1
Mitigation: To mitigate this issue, Symantec and Norton released updates to their anti-virus software. Symantec Endpoint Protection protected devices can safely apply this update and future updates. See the Symantec support article for additional detail. Norton Security and Norton 360 products will automatically install a product update or users may manually run LiveUpdate and reboot until there are no further updates available.
Next Steps: The safeguard hold on affected devices will be removed in the coming week to allow customers time to apply the resolving anti-virus updates.
Back to top | August 13, 2019
KB4512506 | Mitigated External
| Last updated:
August 23, 2019
04:25 PM PT
Opened:
August 13, 2019
10:05 AM PT |
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with errorAfter installing KB4512506, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517297. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).
Back to top | August 13, 2019
KB4512506 | Resolved
KB4517297 | Resolved:
August 16, 2019
02:00 PM PT
Opened:
August 14, 2019
03:34 PM PT |
| IA64 and x64 devices may fail to start after installing updates IA64 devices (in any configuration) and x64 devices using EFI boot that were provisioned after the July 9th updates and/or skipped the recommended update (KB3133977), may fail to start with the following error: \"File: \\Windows\\system32\\winload.efi Status: 0xc0000428 Info: Windows cannot verify the digital signature for this file.\"
Affected platforms: - Client: Windows 7 SP1
- Server: Windows Server 2008 R2 SP1
Take Action: To resolve this issue please follow the steps outlined in the SHA-2 support FAQ article for error code 0xc0000428.
Back to top | August 13, 2019
KB4512506 | Mitigated
| Last updated:
August 17, 2019
12:59 PM PT
Opened:
August 13, 2019
08:34 AM PT |
- | Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV Symantec has identified an issue that occurs when a device is running any Symantec or Norton antivirus program and installs updates for Windows that are signed with SHA-2 certificates only. The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start.
Affected platforms: - Client: Windows 7 SP1
- Server: Windows Server 2008 R2 SP1
Next steps: To safeguard your update experience, Microsoft and Symantec have partnered to place a safeguard hold on devices with an affected version of Symantec Antivirus or Norton Antivirus installed to prevent them from receiving this type of Windows update until a solution is available. We recommend that you do not manually install affected updates until a solution is available. Please reach out to Symantec or Norton support for further guidance.
Back to top | August 13, 2019
KB4512506 | Investigating
| Last updated:
August 16, 2019
04:28 PM PT
Opened:
August 13, 2019
10:05 AM PT |
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devicesYou may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 ( KB4503292) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Back to top | June 11, 2019
KB4503292 | Resolved External
| Last updated:
August 09, 2019
07:03 PM PT
Opened:
August 09, 2019
04:25 PM PT |
"
diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml
index 6cacd95c0a..0ff0106922 100644
--- a/windows/release-information/windows-message-center.yml
+++ b/windows/release-information/windows-message-center.yml
@@ -49,11 +49,13 @@ sections:
- type: markdown
text: "
| Message | Date |
- Resolved: Delays starting Internet Explorer 11
On August 16, 2019 at 7:16 AM a server required for downloading the Internet Explorer 11 (IE11) startup page, went down. As a result of the server outage, IE 11 became unresponsive for some customers who had not yet installed the August 2019 security updates. Customers who had the August 2019 security update installed were not affected. In order to ensure your devices remain in a serviced and secure state, we recommend you install the latest monthly update.
This issue was resolved on the server side at 1:00 pm PST. | August 16, 2019
04:00 PM PT |
+
+ Take action: SHA-2 code signing support guidance for Windows 7 SP1 and Windows Server 2008 RS2 SP1
Windows 7 SP1 and Windows Server 2008 R2 SP1 update signatures are now SHA-2 based signatures and requires that SHA-2 support to be installed. For important customer guidance on installation and troubleshooting tips, please read the knowledge base article 2019 SHA-2 Code Signing Support requirement for Windows and WSUS. | August 23, 2019
03:35 PM PT |
+ Take action: Windows 10, version 1703 (the Windows 10 Creators Update) reaches end of life on October 9, 2019
The Enterprise and Education editions of Windows 10, version 1703 (the Windows 10 Creators Update) will reach end of life on October 9, 2019. The Home, Pro, Pro for Workstations, and IoT Core editions reached end of service on October 8, 2018.
There is no extended support available for any edition of Windows 10, version 1703. Therefore, it will no longer be supported after October 9, 2019 and will not receive monthly security and quality updates containing protections from the latest security threats.
To continue receiving security and quality updates, Microsoft recommends that you update your devices to the latest version of Windows 10. For more information on end of service dates and currently supported versions of Windows 10, see the Windows lifecycle fact sheet. | August 23, 2019
02:17 PM PT |
+ Resolved: Delays starting Internet Explorer 11
On August 16, 2019 at 7:16 AM a server required for downloading the Internet Explorer 11 (IE11) startup page, went down. As a result of the server outage, IE 11 became unresponsive for some customers who had not yet installed the August 2019 security updates. Customers who had the August 2019 security update installed were not affected. In order to ensure your devices remain in a serviced and secure state, we recommend you install the latest monthly update.
This issue was resolved on the server side at 1:00 pm PST. | August 16, 2019
04:00 PM PT |
August 2019 security update now available for Windows 10, version 1903 and all supported versions of Windows
The August 2019 security update release, referred to as our “B” release, is now available for Windows 10, version 1903 and all supported versions of Windows. A “B” release is the primary, regular update event for each month and is the only regular release that contains security fixes. As a result, we recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate. | August 13, 2019
10:00 AM PT |
Advisory: Bluetooth encryption key size vulnerability disclosed (CVE-2019-9506)
On August 13, 2019, Microsoft released security updates to address a Bluetooth key length encryption vulnerability. To exploit this vulnerability, an attacker would need specialized hardware and would be limited by the signal range of the Bluetooth devices in use. For more information about this industry-wide issue, see CVE-2019-9506 | Bluetooth Encryption Key Size Vulnerability in the Microsoft Security Update Guide and important guidance for IT pros in KB4514157. (Note: we are documenting this vulnerability together with guidance for IT admins as part of a coordinated industry disclosure effort.) | August 13, 2019
10:00 AM PT |
Advisory: Windows Advanced Local Procedure Call Elevation of Privilege vulnerability disclosed (CVE-2019-1162)
On August 13, 2019, Google Project Zero (GPZ) disclosed an Elevation of Privilege (EoP) vulnerability in how Windows handles calls to Advanced Local Procedure Call (ALPC) that affects Windows operating systems, versions 8.1 and higher. An attacker must already have code execution on the target system to leverage these vulnerabilities. Microsoft released security updates on August 13, 2019 that partially address this issue. Other items disclosed by GPZ require more time to address and we are working to release a resolution in mid-September. For more information, see CVE-2019-1162 | Windows ALPC Elevation of Privilege Vulnerability | August 13, 2019
10:00 AM PT |
- Take action: Install required updates for Windows 7 SP1 and Windows Server 2008 RS2 SP1 for SHA-2 code sign support
As of August 13, 2019, Windows 7 SP1 and Windows Server 2008 R2 SP1 updates signatures only support SHA-2 code signing. As outlined in 2019 SHA-2 Code Signing Support requirement for Windows and WSUS, we are requiring that SHA-2 code signing support be installed. If you have Windows Update enabled and have applied the security updates released in March 2019 ( KB4490628) and August 2019 ( KB4474419), you are protected automatically; no further configuration is necessary. If you have not installed the March 2019 updates, you will need to do so in order to continue to receive updates on devices running Windows 7 SP1 and Windows Server 2008 R2 SP1. | August 13, 2019
10:00 AM PT |
Take action: Windows 10, version 1803 (the April 2018 Update) reaches end of service on November 12, 2019
Windows 10, version 1803 (the April 2018 Update) will reach end of service on November 12, 2019 for Home and Pro editions. We will begin updating devices running Windows 10, version 1803 to Windows 10, version 1903 (the May 2019 Update) starting July 16, 2019 to help ensure that these devices remain in a serviced and secure state. For more information, see the Windows 10, version 1903 section of the Windows release health dashboard. | August 13, 2019
10:00 AM PT |
Advisory: Windows Kernel Information Disclosure Vulnerability (CVE-2019-1125)
On July 9, 2019, Microsoft released a security update for a Windows kernel information disclosure vulnerability (CVE-2019-1125). Customers who have Windows Update enabled and have applied the security updates released on July 9, 2019 are protected automatically; no further configuration is necessary. For more information, see CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability in the Microsoft Security Update Guide. (Note: we are documenting this mitigation publicly today, instead of back in July, as part of a coordinated industry disclosure effort.) | August 06, 2019
10:00 AM PT |
Resolved August 1, 2019 16:00 PT: Microsoft Store users may encounter blank screens when clicking on certain buttons
Some customers running the version of the Microsoft Store app released on July 29, 2019 encountered a blank screen when selecting “Switch out of S mode,” “Get Genuine,” or some “Upgrade to [version]” OS upgrade options. This issue has now been resolved and a new version of the Microsoft Store app has been released. Users who encountered this issue will need to update the Microsoft Store app on their device. If you are still encountering an issue, please see Fix problems with apps from Microsoft Store. | August 01, 2019
02:00 PM PT |
@@ -78,8 +80,8 @@ Given the potential impact to customers and their businesses, we have also relea
Reminder: Windows 10 update servicing cadence
This month we received questions about the cadence of updates we released in April and May 2019. Here's a quick recap of our releases and servicing cadence:
- April 9, 2019 was the regular Update Tuesday release for all versions of Windows.
-- May 1, 2019 was an \"optional,\" out of band non-security update (OOB) for Windows 10, version 1809. It was released to Microsoft Catalog and WSUS, providing a critical fix for our OEM partners.
-- May 3, 2019 was the \"optional\" Windows 10, version 1809 \"C\" release for April. This update contained important Japanese era packages for commercial customers to preview. It was released later than expected and mistakenly targeted as \"required\" (instead of \"optional\") for consumers, which pushed the update out to customers and required a reboot. Within 24 hours of receiving customer reports, we corrected the targeting logic and mitigated the issue.
+- May 1, 2019 was an \\\"optional,\\\" out of band non-security update (OOB) for Windows 10, version 1809. It was released to Microsoft Catalog and WSUS, providing a critical fix for our OEM partners.
+- May 3, 2019 was the \\\"optional\\\" Windows 10, version 1809 \\\"C\\\" release for April. This update contained important Japanese era packages for commercial customers to preview. It was released later than expected and mistakenly targeted as \\\"required\\\" (instead of \\\"optional\\\") for consumers, which pushed the update out to customers and required a reboot. Within 24 hours of receiving customer reports, we corrected the targeting logic and mitigated the issue.
For more information about the Windows 10 update servicing cadence, please see the Window IT Pro blog. | May 10, 2019
10:00 AM PT |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
index dcaa31ea84..f08e397a67 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
@@ -22,7 +22,7 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>[!NOTE]
-> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
+> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks.
The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines.