deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-07-05 04:03:39 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into jdsb

Browse Source
This commit is contained in:
Jeanie Decker
2019-01-18 06:34:35 -08:00
parent e4083e1fa8 13112e3a20
commit 2e7dfe9c27
57 changed files with 1331 additions and 627 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
education/get-started/change-history-ms-edu-get-started.md
View File

@ -1,42 +1,42 @@
---
title: Change history for Microsoft Education Get Started
description: New and changed topics in the Microsoft Education get started guide.
keywords: Microsoft Education get started guide, IT admin, IT pro, school, education, change history
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
author: CelesteDG
ms.author: celested
ms.date: 07/07/2017
---
# Change history for Microsoft Education Get Started
This topic lists the changes in the Microsoft Education IT admin get started.
## July 2017
| New or changed topic | Description |
| --- | ---- |
| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | Broke up the get started guide to highlight each phase in the Microsoft Education deployment and management process. |
| [Set up an Office 365 Education tenant](set-up-office365-edu-tenant.md) | New. Shows the video and step-by-step guide on how to set up an Office 365 for Education tenant. |
| [Use School Data Sync to import student data](use-school-data-sync.md) | New. Shows the video and step-by-step guide on School Data Sync and sample CSV files to import student data in a trial environment. |
| [Enable Microsoft Teams for your school](enable-microsoft-teams.md) | New. Shows how IT admins can enable and deploy Microsoft Teams in schools. |
| [Configure Microsoft Store for Education](configure-microsoft-store-for-education.md) | New. Shows the video and step-by-step guide on how to accept the services agreement and ensure your Microsoft Store account is associated with Intune for Education. |
| [Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md) | New. Shows the video and step-by-step guide on how to set up Intune for Education, buy apps from the Microsoft Store for Education, and install the apps for all users in your tenant. |
| [Set up Windows 10 education devices](set-up-windows-10-education-devices.md) | New. Shows options available to you when you need to set up new Windows 10 devices and enroll them to your education tenant. Each option contains a video and step-by-step guide. |
| [Finish Windows 10 device setup and other tasks](finish-setup-and-other-tasks.md) | New. Shows the video and step-by-step guide on how to finish preparing your Windows 10 devices for use in the classroom. |
## June 2017
| New or changed topic | Description |
| --- | ---- |
| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | Includes the following updates:</br></br> - New configuration guidance for IT administrators to deploy Microsoft Teams.</br> - Updated steps for School Data Sync to show the latest workflow and user experience.</br> - Updated steps for Option 2: Try out Microsoft Education in a trial environment. You no longer need the SDS promo code to try SDS in a trial environment. |
## May 2017
| New or changed topic | Description |
| --- | ---- |
| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | New. Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. |
---
title: Change history for Microsoft Education Get Started
description: New and changed topics in the Microsoft Education get started guide.
keywords: Microsoft Education get started guide, IT admin, IT pro, school, education, change history
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
author: CelesteDG
ms.author: celested
ms.date: 07/07/2017
---
# Change history for Microsoft Education Get Started
This topic lists the changes in the Microsoft Education IT admin get started.
## July 2017
| New or changed topic | Description |
| --- | ---- |
| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | Broke up the get started guide to highlight each phase in the Microsoft Education deployment and management process. |
| [Set up an Office 365 Education tenant](set-up-office365-edu-tenant.md) | New. Shows the video and step-by-step guide on how to set up an Office 365 for Education tenant. |
| [Use School Data Sync to import student data](use-school-data-sync.md) | New. Shows the video and step-by-step guide on School Data Sync and sample CSV files to import student data in a trial environment. |
| [Enable Microsoft Teams for your school](enable-microsoft-teams.md) | New. Shows how IT admins can enable and deploy Microsoft Teams in schools. |
| [Configure Microsoft Store for Education](configure-microsoft-store-for-education.md) | New. Shows the video and step-by-step guide on how to accept the services agreement and ensure your Microsoft Store account is associated with Intune for Education. |
| [Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md) | New. Shows the video and step-by-step guide on how to set up Intune for Education, buy apps from the Microsoft Store for Education, and install the apps for all users in your tenant. |
| [Set up Windows 10 education devices](set-up-windows-10-education-devices.md) | New. Shows options available to you when you need to set up new Windows 10 devices and enroll them to your education tenant. Each option contains a video and step-by-step guide. |
| [Finish Windows 10 device setup and other tasks](finish-setup-and-other-tasks.md) | New. Shows the video and step-by-step guide on how to finish preparing your Windows 10 devices for use in the classroom. |
## June 2017
| New or changed topic | Description |
| --- | ---- |
| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | Includes the following updates:</br></br> - New configuration guidance for IT administrators to deploy Microsoft Teams.</br> - Updated steps for School Data Sync to show the latest workflow and user experience.</br> - Updated steps for Option 2: Try out Microsoft Education in a trial environment. You no longer need the SDS promo code to try SDS in a trial environment. |
## May 2017
| New or changed topic | Description |
| --- | ---- |
| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | New. Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. |

62
education/windows/create-tests-using-microsoft-forms.md
View File

@ -1,31 +1,31 @@
---
title: Create tests using Microsoft Forms
description: Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while completing a test.
keywords: school, Take a Test, Microsoft Forms
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
author: CelesteDG
ms.author: celested
redirect_url: https://support.microsoft.com/help/4000711/windows-10-create-tests-using-microsoft-forms
---
# Create tests using Microsoft Forms
**Applies to:**
- Windows 10
For schools that have an Office 365 Education subscription, teachers can use [Microsoft Forms](https://support.office.com/article/What-is-Microsoft-Forms-6b391205-523c-45d2-b53a-fc10b22017c8) to create a test and then require that students use the Take a Test app to block access to other computers or online resources while completing the test created through Microsoft Forms.
To do this, teachers can select a check box to make it a secure test. Microsoft Forms will generate a link that you can use to embed into your OneNote or class website. When students are ready to take a test, they can click on the link to start the test.
Microsoft Forms will perform checks to ensure students are taking the test in a locked down Take a Test session. If not, students are not permitted access to the assessment.
[Learn how to block Internet access while students complete your form](https://support.office.com/article/6bd7e31d-5be0-47c9-a0dc-c0a74fc48959)
## Related topics
[Take tests in Windows 10](take-tests-in-windows-10.md)
---
title: Create tests using Microsoft Forms
description: Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while completing a test.
keywords: school, Take a Test, Microsoft Forms
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
author: CelesteDG
ms.author: celested
redirect_url: https://support.microsoft.com/help/4000711/windows-10-create-tests-using-microsoft-forms
---
# Create tests using Microsoft Forms
**Applies to:**
- Windows 10
For schools that have an Office 365 Education subscription, teachers can use [Microsoft Forms](https://support.office.com/article/What-is-Microsoft-Forms-6b391205-523c-45d2-b53a-fc10b22017c8) to create a test and then require that students use the Take a Test app to block access to other computers or online resources while completing the test created through Microsoft Forms.
To do this, teachers can select a check box to make it a secure test. Microsoft Forms will generate a link that you can use to embed into your OneNote or class website. When students are ready to take a test, they can click on the link to start the test.
Microsoft Forms will perform checks to ensure students are taking the test in a locked down Take a Test session. If not, students are not permitted access to the assessment.
[Learn how to block Internet access while students complete your form](https://support.office.com/article/6bd7e31d-5be0-47c9-a0dc-c0a74fc48959)
## Related topics
[Take tests in Windows 10](take-tests-in-windows-10.md)

BIN
education/windows/images/1812_Add_Apps_SUSPC.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 517 KiB

4
education/windows/set-up-school-pcs-azure-ad-join.md
View File

@ -9,7 +9,7 @@ ms.pagetype: edu
ms.localizationpriority: medium
author: lenewsad
ms.author: lanewsad
ms.date: 07/13/2018
ms.date: 01/11/2019
---
# Azure AD Join for school PCs
@ -75,7 +75,7 @@ to delete.
3. Select and delete inactive and expired user accounts.
### How do I know if my package expired?
Automated Azure AD tokens expire after 30 days. The expiration date for each token is appended to the end of the saved provisioning package, on the USB drive. After this date, you must create a new package. Be careful that you don't delete active accounts.
Automated Azure AD tokens expire after 180 days. The expiration date for each token is appended to the end of the saved provisioning package, on the USB drive. After this date, you must create a new package. Be careful that you don't delete active accounts.
![Screenshot of the Azure portal, Azure Active Directory, All Users page. Highlights all accounts that start with the prefix package_ and can be deleted.](images/suspc-admin-token-delete-1807.png)

28
education/windows/set-up-school-pcs-provisioning-package.md
View File

@ -82,23 +82,21 @@ For a more detailed look of each policy listed, see [Policy CSP](https://docs.mi
|Updates Windows | Nightly | Sets Windows to update on a nightly basis. |
## Apps uninstalled from Windows 10 devices
Set up School PCs app uses the Universal app uninstall policy. This policy identifies default apps that are not relevant to the classroom experience, and uninstalls them from each device. The following table lists all apps uninstalled from Windows 10 devices.
Set up School PCs app uses the Universal app uninstall policy. This policy identifies default apps that are not relevant to the classroom experience, and uninstalls them from each device. ALl apps uninstalled from Windows 10 devices include:
|App name |Application User Model ID |
|---------|---------|
|3D Builder | Microsoft.3DBuilder_8wekyb3d8bbwe |
|Bing Weather | Microsoft.BingWeather_8wekyb3d8bbwe |
|Desktop App Installer|Microsoft.DesktopAppInstaller_8wekyb3d8bbwe|
|Get Started | Microsoft.Getstarted_8wekyb3d8bbw |
|Messaging|Microsoft.Messaging_8wekyb3d8bbwe
|Microsoft Office Hub| Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe |
|Microsoft Solitaire Collection | Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe |
|One Connect|Microsoft.OneConnect_8wekyb3d8bbwe|
|Paid Wi-Fi & Cellular | Microsoft.OneConnect_8wekyb3d8bbwe |
|Feedback Hub | Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe |
|Xbox | Microsoft.XboxApp_8wekyb3d8bbwe |
|Mail/Calendar | microsoft.windowscommunicationsapps_8wekyb3d8bbwe|
* Mixed Reality Viewer
* Weather
* Desktop App Installer
* Tips
* Messaging
* My Office
* Microsoft Solitaire Collection
* Mobile Plans
* Feedback Hub
* Xbox
* Mail/Calendar
* Skype
## Apps installed on Windows 10 devices
Set up School PCs uses the Universal app install policy to install school-relevant apps on all Windows 10 devices. Apps that are installed include:

15
education/windows/set-up-school-pcs-whats-new.md
View File

@ -9,11 +9,22 @@ ms.pagetype: edu
ms.localizationpriority: medium
author: lenewsad
ms.author: lanewsad
ms.date: 10/23/2018
ms.date: 01/11/2019
---
# What's new in Set up School PCs
Learn whats new with the Set up School PCs app each week. Find out about new app features and functionality, and see updated screenshots. You'll also find information about past releases.
Learn whats new with the Set up School PCs app each week. Find out about new app features and functionality, and see updated screenshots. You'll also find information about past releases.
## Week of December 31, 2019
### Add Microsoft Whiteboard to provisioning package
Microsoft Whiteboard has been added to the list of Microsoft-recommended apps for schools. Whiteboard is a freeform digital canvas where ideas, content, and people come together so students can create and collaborate in real time in the classroom. You can add Whiteboard to your provisioning package in Set up School PCs, on the **Add apps** page. For more information see [Use Set up School PCs app](use-set-up-school-pcs-app.md#create-the-provisioning-package).
## Week of November 5, 2018
### Sync school app inventory from Microsoft Store
During setup, you can now add apps from your school's Microsoft Store inventory. After you sign in with your school's Office 365 account, Set up School PCs will sync the apps from Microsoft Store, and make them visible on the **Add apps** page. For more information about adding apps, see [Use Set Up School PCs app](use-set-up-school-pcs-app.md#create-the-provisioning-package).
## Week of October 15, 2018

15
education/windows/use-set-up-school-pcs-app.md
View File

@ -212,22 +212,25 @@ Set up the Take a Test app to give online quizzes and high-stakes assessments. D
3. Enter the URL where the test is hosted. When students log in to the Take a Test account, they'll be able to click or enter the link to view the assessment.
4. Click **Next**.
### Recommended apps
Choose from a list of recommended Microsoft Store apps to install on student PCs. Then click **Next**. After they're assigned, apps are pinned to the student's Start menu.
### Add apps
Choose from Microsoft recommended apps and your school's own Microsoft Store inventory. The apps you select here are added to the provisioning package and installed on student PCs. After they're assigned, apps are pinned to the device's Start menu.
![Example screenshots of the Add recommended apps screen with recommended app icons and selection boxes. Some apps selected for example purposes.](images/1810_SUSPC_add_apps.png)
If there aren't any apps in your Microsoft Store inventory, or you don't have the permissions to add apps, you'll need to contact your school admin for help. If you receive a message that you can't add the selected apps, click **Continue without apps**. Contact your school admin to get these apps later.
After you've made your selections, click **Next**.
![Example screenshots of the Add apps screen with selection of recommended apps and school inventory apps.](images/1812_Add_Apps_SUSPC.png)
The following table lists the recommended apps you'll see.
|App |Note |
|---------|---------|
|Office 365 for Windows 10 in S mode (Education Preview) | Setup is only successful on student PCs that run Windows 10 in S mode. The PC you running the Set up School PCs app is not required to have Windows 10 in S mode. |
|Microsoft Whiteboard | None|
|Minecraft: Education Edition | Free trial|
|Other apps fit for the classroom |Select from WeDo 2.0 LEGO®, Arduino IDE, Ohbot, Sesavis Visual, and EV3 Programming|
If you receive an error and are unable to add the selected apps, click **Continue without apps**. Contact your IT admin to get these apps later.
![Example screenshots of the Add recommended apps screen with message that selected apps could not be added. Red rectangles highlight the message and Continue without apps button.](images/1810_SUSPC_app_error.png)
### Personalization
Upload custom images to replace the student devices' default desktop and lock screen backgrounds. Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.

2
mdop/appv-v4/best-practices-for-the-application-virtualization-sequencer-sp1.md
View File

@ -67,7 +67,7 @@ The following best practices should be considered when sequencing a new applicat
 
**Sequence to a unique directory that follows the 8.3 naming convention.**
- **Sequence to a unique directory that follows the 8.3 naming convention.**
You should sequence all applications to a directory that follows the 8.3 naming convention. The specified directory name cannot contain more than eight characters, followed by a three-character file name extension—for example, **Q:\\MYAPP.ABC**.

27
mdop/mbam-v25/upgrading-to-mbam-25-sp1-from-mbam-25.md
View File

@ -13,32 +13,37 @@ ms.date: 2/16/2018
# Upgrading to MBAM 2.5 SP1 from MBAM 2.5
This topic describes the process for upgrading the Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 and the MBAM Client from 2.5 to MBAM 2.5 SP1.
### Before you begin, download the September 2017 servicing release
[Desktop Optimization Pack](https://www.microsoft.com/en-us/download/details.aspx?id=56126)
### Before you begin
#### Download the July 2018 servicing release
[Desktop Optimization Pack](https://www.microsoft.com/download/details.aspx?id=57157)
#### Verify the installation documentaion
Verify you have a current documentation of your MBAM environment, including all server names, database names, service accounts and their passwords.
### Upgrade steps
#### Steps to upgrade the MBAM Database (SQL Server)
1. Using the MBAM Configurator; remove the Reports roll from the SQL server, or wherever the SSRS database is housed (Could be on the same server or different one, depending on your environment)
1. Using the MBAM Configurator; remove the Reports role from the SQL server, or wherever the SSRS database is hosted. Depending on your environment, this can be the same server or a separate one.
Note: You will not see an option to remove the Databases; this is expected.  
2. Install 2.5 SP1 (Located with MDOP - Microsoft Desktop Optimization Pack 2015 from the Volume Licensing Service Center site: <https://www.microsoft.com/Licensing/servicecenter/default.aspx>
3. Do not configure it at this time 
4. Install the September Rollup: https://www.microsoft.com/en-us/download/details.aspx?id=56126
5. Using the MBAM Configurator; re-add the Reports rollup
4. Install the July 2018 Rollup: https://www.microsoft.com/download/details.aspx?id=57157
5. Using the MBAM Configurator; re-add the Reports role
6. This will configure the SSRS connection using the latest MBAM code from the rollup 
7. Using the MBAM Configurator; re-add the SQL Database roll on the SQL Server.
- At the end, you will be warned that the DBs already exist and werent created, but this is  expected.
7. Using the MBAM Configurator; re-add the SQL Database role on the SQL Server.
- At the end, you will be warned that the DBs already exist and werent created, but this is expected.
- This process updates the existing databases to the current version being installed      
#### Steps to upgrade the MBAM Server (Running MBAM and IIS)
1. Using the MBAM Configurator; remove the Admin and Self Service Portals from the IIS server
2. Install MBAM 2.5 SP1
3. Do not configure it at this time  
4. Install the September 2017 Rollup on the IIS server(https://www.microsoft.com/en-us/download/details.aspx?id=56126)
4. Install the July 2018 Rollup on the IIS server(https://www.microsoft.com/download/details.aspx?id=57157)
5. Using the MBAM Configurator; re-add the Admin and Self Service Portals to the IIS server 
6. This will configure the sites using the latest MBAM code from the June Rollup
6. This will configure the sites using the latest MBAM code from the July 2018 Rollup
- Open an elevated command prompt, Type: **IISRESET** and Hit Enter.
#### Steps to upgrade the MBAM Clients/Endpoints
1. Uninstall the 2.5 Agent from client endpoints
2. Install the 2.5 SP1 Agent on the client endpoints
3. Push out the September Rollup Client update to clients running the 2.5 SP1 Agent 
4. There is no need to uninstall existing client prior to installing the September Rollup.  
3. Push out the July 2018 Rollup Client update to clients running the 2.5 SP1 Agent 
4. There is no need to uninstall the existing client prior to installing the July 2018 Rollup.  

26
windows/client-management/TOC.md
View File

@ -12,19 +12,19 @@
## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)
## [Windows libraries](windows-libraries.md)
## [Troubleshoot Windows 10 clients](windows-10-support-solutions.md)
### [Advanced troubleshooting for Windows networking issues](troubleshoot-networking.md)
#### [Advanced troubleshooting Wireless Network Connectivity](advanced-troubleshooting-wireless-network-connectivity.md)
#### [Data collection for troubleshooting 802.1x Authentication](data-collection-for-802-authentication.md)
#### [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md)
### [Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md)
#### [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md)
#### [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md)
#### [Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md)
#### [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md)
### [Advanced troubleshooting for Windows start-up issues](troubleshoot-windows-startup.md)
### [Advanced troubleshooting for Windows networking](troubleshoot-networking.md)
#### [Advanced troubleshooting Wireless network connectivity](advanced-troubleshooting-wireless-network-connectivity.md)
#### [Advanced troubleshooting 802.1X authentication](advanced-troubleshooting-802-authentication.md)
##### [Data collection for troubleshooting 802.1X authentication](data-collection-for-802-authentication.md)
#### [Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md)
##### [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md)
##### [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md)
##### [Troubleshoot port exhaustion](troubleshoot-tcpip-port-exhaust.md)
##### [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md)
### [Advanced troubleshooting for Windows startup](troubleshoot-windows-startup.md)
#### [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
#### [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md)
#### [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md)
#### [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md)
#### [Advanced troubleshooting for Windows-based computer freeze](troubleshoot-windows-freeze.md)
#### [Advanced troubleshooting for stop error or blue screen error](troubleshoot-stop-errors.md)
#### [Advanced troubleshooting for stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md)
## [Mobile device management for solution providers](mdm/index.md)
## [Change history for Client management](change-history-for-client-management.md)

125
windows/client-management/advanced-troubleshooting-802-authentication.md
View File

@ -1,87 +1,118 @@
---
title: Advanced Troubleshooting 802.1x Authentication
description: Learn how 802.1x Authentication works
keywords: advanced troubleshooting, 802.1x authentication, troubleshooting, authentication, Wi-Fi
title: Advanced Troubleshooting 802.1X Authentication
description: Learn how 802.1X Authentication works
keywords: advanced troubleshooting, 802.1X authentication, troubleshooting, authentication, Wi-Fi
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
author: kaushika-msft
ms.localizationpriority: medium
ms.author: mikeblodge
ms.date: 10/29/2018
ms.author: greg-lindsay
---
# Advanced Troubleshooting 802.1x Authentication
# Advanced troubleshooting 802.1X authentication
## Overview
This is a general troubleshooting of 802.1x wireless and wired clients. With
802.1x and Wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make Access Points or Switches, it won't be an end-to-end Microsoft solution.
This is a general troubleshooting of 802.1X wireless and wired clients. With 802.1X and wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make access points or wwitches, it won't be an end-to-end Microsoft solution.
### Scenarios
## Scenarios
This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 - 10 for clients, and Windows Server 2008 R2 - 2012 R2 for NPS.
### Known Issues
N/A
### Data Collection
[Advanced Troubleshooting 802.1x Authentication Data Collection](https://docs.microsoft.com/en-us/windows/client-management/data-collection-for-802-authentication)
### Troubleshooting
- Viewing the NPS events in the Windows Security Event log is one of the most useful troubleshooting methods to obtain information about failed authentications.
## Known Issues
NPS event log entries contain information on the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. NPS event logging for rejected or accepted connection is enabled by default.
Check Windows Security Event log on the NPS Server for NPS events corresponding to rejected (event ID 6273) or accepted (event ID 6272) connection attempts.
None
In the event message, scroll to the very bottom, and check the **Reason Code** field and the text associated with it.
## Data Collection
See [Advanced troubleshooting 802.1X authentication data collection](data-collection-for-802-authentication.md).
![example of an audit failure](images/auditfailure.png)
*Example: event ID 6273 (Audit Failure)*
## Troubleshooting
Viewing [NPS authentication status events](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735320(v%3dws.10)) in the Windows Security [event log](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc722404(v%3dws.11)) is one of the most useful troubleshooting methods to obtain information about failed authentications.
NPS event log entries contain information on the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. If you are not seeing both success and failure events, see the section below on [NPS audit policy](#audit-policy).
Check Windows Security Event log on the NPS Server for NPS events corresponding to rejected ([event ID 6273](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or accepted ([event ID 6272](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts.
In the event message, scroll to the very bottom, and check the [Reason Code](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text associated with it.
![example of an audit failure](images/auditfailure.png)
*Example: event ID 6273 (Audit Failure)*<br><br>
![example of an audit success](images/auditsuccess.png)
*Example: event ID 6272 (Audit Success)*
![example of an audit success](images/auditsuccess.png)
*Example: event ID 6272 (Audit Success)*<br>
- The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, Wired AutoConfig operational log is equivalent one.
The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, Wired AutoConfig operational log is equivalent one.
On client side, navigate to the Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational for wireless issue (for wired network access, ..\Wired-AutoConfig/Operational).
On the client side, navigate to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, navigate to **..\Wired-AutoConfig/Operational**. See the following example:
![event viewer screenshot showing wired-autoconfig and WLAN autoconfig](images/eventviewer.png)
- Most 802.1X authentication issues is due to problems with the certificate which is used for client or server authentication (e.g. invalid certificate, expiration, chain verification failure, revocation check failure, etc.).
Most 802.1X authentication issues are due to problems with the certificate that is used for client or server authentication (e.g. invalid certificate, expiration, chain verification failure, revocation check failure, etc.).
First, make sure which type of EAP method is being used.
First, validate the type of EAP method being used:
![eap authentication type comparison](images/comparisontable.png)
- If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from EAP property menu. See figure below.
If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu:
![Constraints tab of the secure wireless connections properties](images/eappropertymenu.png)
- The CAPI2 event log will be useful for troubleshooting certificate-related issues.
This log is not enabled by default. You can enable this log by navigating to the Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2 directory and expand it, then right-click on the Operational view and click the Enable Log menu.
The CAPI2 event log will be useful for troubleshooting certificate-related issues.
This log is not enabled by default. You can enable this log by expanding **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2**, right-clicking **Operational** and then clicking **Enable Log**.
![screenshot of event viewer](images/eventviewer.png)
![screenshot of event viewer](images/capi.png)
You can refer to this article about how to analyze CAPI2 event logs.
[Troubleshooting PKI Problems on Windows Vista](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29)
For detailed troubleshooting 802.1X authentication issues, it&#39;s important to understand 802.1X authentication process. The figure below is an example of wireless connection process with 802.1X authentication.
The following article explains how to analyze CAPI2 event logs:
[Troubleshooting PKI Problems on Windows Vista](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29).
![aithenticatior flow chart](images/authenticator_flow_chart.png)
- If you collect network packet capture on both a client and a NPS side, you can see the flow like below. Type **EAPOL** in Display Filter menu in Network Monitor for a client side and **EAP** for a NPS side.
> [!NOTE]
> info not critical to a task If you also enable wireless scenario trace with network packet capture, you can see more detailed information on Network Monitor with **ONEX\_MicrosoftWindowsOneX** and **WLAN\_MicrosoftWindowsWLANAutoConfig** Network Monitor filtering applied.
When troubleshooting complex 802.1X authentication issues, it is important to understand the 802.1X authentication process. The following figure is an example of wireless connection process with 802.1X authentication:
![authenticatior flow chart](images/authenticator_flow_chart.png)
If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter in for a client side capture, and **EAP** for an NPS side capture. See the following examples:
![client-side packet capture data](images/clientsidepacket_cap_data.png)
*Client-side packet capture data*
*Client-side packet capture data*<br><br>
![NPS-side packet capture data](images/NPS_sidepacket_capture_data.png)
*NPS-side packet capture data*
*NPS-side packet capture data*<br>
> [!NOTE]
> If you have a wireless trace, you can also [view ETL files with network monitor](https://docs.microsoft.com/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. Follow the instructions under the **Help** menu in Network Monitor to load the reqired [parser](https://blogs.technet.microsoft.com/netmon/2010/06/04/parser-profiles-in-network-monitor-3-4/) if needed. See the example below.
![ETL parse](images/etl.png)
## Audit policy
NPS audit policy (event logging) for connection success and failure is enabled by default. If you find that one or both types of logging are disabled, use the following steps to troubleshoot.
View the current audit policy settings by running the following command on the NPS server:
```
auditpol /get /subcategory:"Network Policy Server"
```
If both success and failure events are enabled, the output should be:
<pre>
System audit policy
Category/Subcategory Setting
Logon/Logoff
Network Policy Server Success and Failure
</pre>
If it shows No auditing, you can run this command to enable it:
```
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
```
Even if audit policy appears to be fully enabled, it sometimes helps to disable and then re-enable this setting. You can also enable Network Policy Server logon/logoff auditing via Group Policy. The success/failure setting can be found under **Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Logon/Logoff -> Audit Network Policy Server**.
## Additional references
[Troubleshooting Windows Vista 802.11 Wireless Connections](https://technet.microsoft.com/ja-jp/library/cc766215%28v=ws.10%29.aspx)
[Troubleshooting Windows Vista Secure 802.3 Wired Connections](https://technet.microsoft.com/de-de/library/cc749352%28v=ws.10%29.aspx)
[Troubleshooting Windows Vista 802.11 Wireless Connections](https://technet.microsoft.com/library/cc766215%28v=ws.10%29.aspx)<br>
[Troubleshooting Windows Vista Secure 802.3 Wired Connections](https://technet.microsoft.com/library/cc749352%28v=ws.10%29.aspx)

263
windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
View File

@ -7,30 +7,31 @@ ms.mktglfcycl:
ms.sitesec: library
author: kaushika-msft
ms.localizationpriority: medium
ms.author: mikeblodge
ms.date: 10/29/2018
ms.author: greg-lindsay
---
# Advanced Troubleshooting Wireless Network Connectivity
# Advanced troubleshooting wireless network connectivity
> [!NOTE]
> Home users: This article is intended for use by support agents and IT professionals. If you're looking for more general information about Wi-Fi problems in Windows 10, check out this [Windows 10 Wi-Fi fix article](https://support.microsoft.com/en-in/help/4000432/windows-10-fix-wi-fi-problems).
## Overview
This is a general troubleshooting of establishing Wi-Fi connections from Windows Clients.
This is a general troubleshooting of establishing Wi-Fi connections from Windows clients.
Troubleshooting Wi-Fi connections requires understanding the basic flow of the Wi-Fi autoconnect state machine. Understanding this flow makes it easier to determine the starting point in a repro scenario in which a different behavior is found.
This workflow involves knowledge and use of [TextAnalysisTool](https://github.com/TextAnalysisTool/Releases), an extensive text filtering tool that is useful with complex traces with numerous ETW providers such as wireless_dbg trace scenario.
## Scenarios
Any scenario in which Wi-Fi connections are attempted and fail to establish. The troubleshooter is developed with Windows 10 clients in focus, but also may be useful with traces as far back as Windows 7.
This article applies to any scenario in which Wi-Fi connections fail to establish. The troubleshooter is developed with Windows 10 clients in focus, but also may be useful with traces as far back as Windows 7.
> [!NOTE]
> This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component ETW. It is not meant to be representative of every wireless problem scenario.
> This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component [Event Tracing for Windows](https://docs.microsoft.com/windows/desktop/etw/event-tracing-portal) (ETW). It is not meant to be representative of every wireless problem scenario.
Wireless ETW is incredibly verbose and calls out lots of innocuous errors (i.e. Not really errors so much as behaviors that are flagged and have nothing to do with the problem scenario). Simply searching for or filtering on "err", "error", and "fail" will seldom lead you to the root cause of a problematic Wi-Fi scenario. Instead it will flood the screen with meaningless logs that will obfuscate the context of the actual problem.
Wireless ETW is incredibly verbose and calls out a lot of innocuous errors (rather flagged behaviors that have little or nothing to do with the problem scenario). Simply searching for or filtering on "err", "error", and "fail" will seldom lead you to the root cause of a problematic Wi-Fi scenario. Instead it will flood the screen with meaningless logs that will obfuscate the context of the actual problem.
It is important to understand the different Wi-Fi components involved, their expected behaviors, and how the problem scenario deviates from those expected behaviors.
The intention of this troubleshooter is to show how to find a starting point in the verbosity of wireless_dbg ETW and home in on the responsible component(s) causing the connection problem.
The intention of this troubleshooter is to show how to find a starting point in the verbosity of wireless_dbg ETW and home in on the responsible components that are causing the connection problem.
### Known Issues and fixes
** **
@ -41,6 +42,7 @@ The intention of this troubleshooter is to show how to find a starting point in
| **Windows 10, version 1703** | [KB4338827](https://support.microsoft.com/help/4338827) |
Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update-history webpage for your system:
- [Windows 10 version 1809](https://support.microsoft.com/help/4464619)
- [Windows 10 version 1803](https://support.microsoft.com/help/4099479)
- [Windows 10 version 1709](https://support.microsoft.com/en-us/help/4043454)
- [Windows 10 version 1703](https://support.microsoft.com/help/4018124)
@ -50,35 +52,47 @@ Make sure that you install the latest Windows updates, cumulative updates, and r
- [Windows Server 2012](https://support.microsoft.com/help/4009471)
- [Windows 7 SP1 and Windows Server 2008 R2 SP1](https://support.microsoft.com/help/40009469)
### Data Collection
1. Network Capture with ETW. Use the following command:
## Data Collection
**netsh trace start wireless\_dbg capture=yes overwrite=yes maxsize=4096 tracefile=c:\tmp\wireless.etl**
1. Network Capture with ETW. Enter the following at an elevated command prompt:
2. Reproduce the issue if:
- There is a failure to establish connection, try to manually connect
- It is intermittent but easily reproducible, try to manually connect until it fails. Include timestamps of each connection attempt (successes and failures)
- Tue issue is intermittent but rare, netsh trace stop command needs to be triggered automatically (or at least alerted to admin quickly) to ensure trace doesnt overwrite the repro data.
- Intermittent connection drops trigger stop command on a script (ping or test network constantly until fail, then netsh trace stop).
```
netsh trace start wireless_dbg capture=yes overwrite=yes maxsize=4096 tracefile=c:\tmp\wireless.etl
```
2. Reproduce the issue.
- If there is a failure to establish connection, try to manually connect.
- If it is intermittent but easily reproducible, try to manually connect until it fails. Record the time of each connection attempt, and whether it was a success or failure.
- If the issue is intermittent but rare, netsh trace stop command needs to be triggered automatically (or at least alerted to admin quickly) to ensure trace doesnt overwrite the repro data.
- If intermittent connection drops trigger stop command on a script (ping or test network constantly until fail, then netsh trace stop).
3. Stop the trace by entering the following command:
```
netsh trace stop
```
4. To convert the output file to text format:
```
netsh trace convert c:\tmp\wireless.etl
```
See the [example ETW capture](#example-etw-capture) at the bottom of this article for an example of the command output. After running these commands, you will have three files: wireless.cab, wireless.etl, and wireless.txt.
## Troubleshooting
3. Run this command to stop the trace: **netsh trace stop**
4. To convert the output file to text format: **netsh trace convert c:\tmp\wireless.etl**
### Troubleshooting
The following is a high-level view of the main wifi components in Windows.
![Wi-Fi stack components](images/wifistackcomponents.png)
The Windows Connection Manager (Wcmsvc) is closely associated with the UI controls (see taskbar icon) to connect to various networks including wireless. It accepts and processes input from the user and feeds it to the core wireless service (Wlansvc). The Wireless Autoconfig Service (Wlansvc) handles the core functions of wireless networks in windows:
<table>
<tr><td><img src="images/wcm.png"></td><td>The <b>Windows Connection Manager</b> (Wcmsvc) is closely associated with the UI controls (taskbar icon) to connect to various networks, including wireless networks. It accepts and processes input from the user and feeds it to the core wireless service. </td></tr>
<tr><td><img src="images/wlan.png"></td><td>The <b>WLAN Autoconfig Service</b> (WlanSvc) handles the following core functions of wireless networks in windows:
- Scanning for wireless networks in range
- Managing connectivity of wireless networks
- Managing connectivity of wireless networks</td></tr>
<tr><td><img src="images/msm.png"></td><td>The <b>Media Specific Module</b> (MSM) handles security aspects of connection being established.</td></tr>
<tr><td><img src="images/wifi-stack.png"></td><td>The <b>Native Wifi stack</b> consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc.</td></tr>
<tr><td><img src="images/miniport.png"></td><td>Third-party <b>wireless miniport</b> drivers interface with the upper wireless stack to provide notifications to and receive commands from Windows.</td></tr>
</table>
The Media Specific Module (MSM) handles security aspects of connection being established.
The Native Wifi stack consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc.
Third-party wireless miniport drivers interface with the upper wireless stack to provide notifications to and receive commands from Windows.
The wifi connection state machine has the following states:
- Reset
- Ihv_Configuring
@ -99,86 +113,105 @@ Reset --> Ihv_Configuring --> Configuring --> Associating --> Authenticating -->
Connected --> Roaming --> Wait_For_Disconnected --> Disconnected --> Reset
- Filtering the ETW trace with the provided [TextAnalyisTool (TAT)](Missing wifi.tat file) filter is an easy first step to determine where a failed connection setup is breaking down:
Use the **FSM transition** trace filter to see the connection state machine.
Example of a good connection setup:
>Filtering the ETW trace with the [TextAnalysisTool](https://github.com/TextAnalysisTool/Releases) (TAT) is an easy first step to determine where a failed connection setup is breaking down. A useful [wifi filter file](#wifi-filter-file) is included at the bottom of this article.
```
Use the **FSM transition** trace filter to see the connection state machine. You can see [an example](#textanalysistool-example) of this filter applied in the TAT at the bottom of this page.
The following is an example of a good connection setup:
<pre>
44676 [2]0F24.1020::2018-09-17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset
45473 [1]0F24.1020::2018-09-17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv\_Configuring
45597 [3]0F24.1020::2018-09-17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv\_Configuring to State: Configuring
45473 [1]0F24.1020::2018-09-17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv_Configuring
45597 [3]0F24.1020::2018-09-17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv_Configuring to State: Configuring
46085 [2]0F24.17E0::2018-09-17 10:22:14.710 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Configuring to State: Associating
47393 [1]0F24.1020::2018-09-17 10:22:14.879 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Associating to State: Authenticating
49465 [2]0F24.17E0::2018-09-17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Connected
```
Example of a failed connection setup:
```
</pre>
The following is an example of a failed connection setup:
<pre>
44676 [2]0F24.1020::2018-09-17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset
45473 [1]0F24.1020::2018-09-17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv\_Configuring
45597 [3]0F24.1020::2018-09-17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv\_Configuring to State: Configuring
45473 [1]0F24.1020::2018-09-17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv_Configuring
45597 [3]0F24.1020::2018-09-17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv_Configuring to State: Configuring
46085 [2]0F24.17E0::2018-09-17 10:22:14.710 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Configuring to State: Associating
47393 [1]0F24.1020::2018-09-17 10:22:14.879 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Associating to State: Authenticating
49465 [2]0F24.17E0::2018-09-17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Roaming
```
By identifying the state at which the connection fails, one can focus more specifically in the trace on logs just prior to the last known good state. Examining **[Microsoft-Windows-WLAN-AutoConfig]** logs just prior to the bad state change should show evidence of error. Often, however, the error is propagated up through other wireless components.
</pre>
By identifying the state at which the connection fails, one can focus more specifically in the trace on logs just prior to the last known good state.
Examining **[Microsoft-Windows-WLAN-AutoConfig]** logs just prior to the bad state change should show evidence of error. Often, however, the error is propagated up through other wireless components.
In many cases the next component of interest will be the MSM, which lies just below Wlansvc.
![MSM details](images/msmdetails.png)
The important components of the MSM include:
- Security Manager (SecMgr) - handles all pre and post-connection security operations.
- Authentication Engine (AuthMgr) Manages 802.1x auth requests
![MSM details](images/msmdetails.png)
Each of these components has their own individual state machines which follow specific transitions.
Enable the **FSM transition, SecMgr Transition,** and **AuthMgr Transition** filters in TextAnalysisTool for more detail.
Continuing with the example above, the combined filters look like this:
```
<pre>
[2] 0C34.2FF0::08/28/17-13:24:28.693 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Reset to State: Ihv_Configuring
[2] 0C34.2FF0::08/28/17-13:24:28.693 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Ihv_Configuring to State: Configuring
[1] 0C34.2FE8::08/28/17-13:24:28.711 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Configuring to State: Associating
[0] 0C34.275C::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition INACTIVE (1) --> ACTIVE (2)
[0] 0C34.275C::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition ACTIVE (2) --> START AUTH (3)
[0] 0C34.275C::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition INACTIVE (1) --> ACTIVE (2)
[0] 0C34.275C::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition ACTIVE (2) --> START AUTH (3)
[4] 0EF8.0708::08/28/17-13:24:28.928 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition ENABLED --> START_AUTH
[3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Associating to State: Authenticating
[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
[4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition START_AUTH --> AUTHENTICATING
[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
[2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
[2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
[2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Authenticating to State: Roaming
```
</pre>
> [!NOTE]
> In this line the SecMgr transition is suddenly deactivating. This transition is what eventually propagates to the main connection state machine and causes the Authenticating phase to devolve to Roaming state. As before, it makes sense to focus on tracing just prior to this SecMgr behavior to determine the reason for the deactivation.
> In the next to last line the SecMgr transition is suddenly deactivating:<br>
>\[2\] 0C34.2FF0::08/28/17-13:24:29.7512788 \[Microsoft-Windows-WLAN-AutoConfig\]Port\[13\] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)<br><br>
>This transition is what eventually propagates to the main connection state machine and causes the Authenticating phase to devolve to Roaming state. As before, it makes sense to focus on tracing just prior to this SecMgr behavior to determine the reason for the deactivation.
- Enabling the **Microsoft-Windows-WLAN-AutoConfig** filter will show more detail leading to the DEACTIVATE transition:
Enabling the **Microsoft-Windows-WLAN-AutoConfig** filter will show more detail leading to the DEACTIVATE transition:
```
<pre>
[3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Associating to State: Authenticating
[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
[4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition START_AUTH --> AUTHENTICATING
[0]0EF8.2EF4::08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PHY_STATE_CHANGE
[0]0EF8.2EF4::08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Change radio state for interface = Intel(R) Centrino(R) Ultimate-N 6300 AGN : PHY = 3, software state = on , hardware state = off )
[0] 0EF8.1174::08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PORT_DOWN
[0] 0EF8.1174::08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]FSM Current state Authenticating , event Upcall_Port_Down
[0] 0EF8.1174:: 08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received IHV PORT DOWN, peer 0x186472F64FD2
[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
[2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
[2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
[2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Authenticating to State: Roaming
```
- The trail backwards reveals a Port Down notification. Port events indicate changes closer to the wireless hardware. The trail can be followed by continuing to see the origin of this indication.
Below, the MSM is the native wifi stack (as seen in Figure 1). These are Windows native wifi drivers which talk to the wifi miniport driver(s). It is responsible for converting Wi-Fi (802.11) packets to 802.3 (Ethernet) so that TCPIP and other protocols and can use it.
</pre>
The trail backwards reveals a **Port Down** notification:
\[0\] 0EF8.1174:: 08/28/17-13:24:29.705 \[Microsoft-Windows-WLAN-AutoConfig\]Received IHV PORT DOWN, peer 0x186472F64FD2
Port events indicate changes closer to the wireless hardware. The trail can be followed by continuing to see the origin of this indication.
Below, the MSM is the native wifi stack. These are Windows native wifi drivers which talk to the wifi miniport drivers. It is responsible for converting Wi-Fi (802.11) packets to 802.3 (Ethernet) so that TCPIP and other protocols and can use it.
Enable trace filter for **[Microsoft-Windows-NWifi]:**
```
<pre>
[3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Associating to State: Authenticating
[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
[4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x8A1514B62510 AuthMgr Transition START_AUTH --> AUTHENTICATING
[0]0000.0000::08/28/17-13:24:29.127 [Microsoft-Windows-NWiFi]DisAssoc: 0x8A1514B62510 Reason: 0x4
[0]0EF8.2EF4::08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PHY_STATE_CHANGE
@ -186,14 +219,108 @@ Associating to State: Authenticating
[0] 0EF8.1174::08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PORT_DOWN
[0] 0EF8.1174::08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]FSM Current state Authenticating , event Upcall_Port_Down
[0] 0EF8.1174:: 08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received IHV PORT DOWN, peer 0x186472F64FD2
[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
[2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
[2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
[2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Authenticating to State: Roaming
Authenticating to State: Roaming</pre>
In the trace above, we see the line:
<pre>
[0]0000.0000::08/28/17-13:24:29.127 [Microsoft-Windows-NWiFi]DisAssoc: 0x8A1514B62510 Reason: 0x4</pre>
This is followed by **PHY_STATE_CHANGE** and **PORT_DOWN** events due to a disassociate coming from the Access Point (AP), as an indication to deny the connection. This could be due to invalid credentials, connection parameters, loss of signal/roaming, and various other reasons for aborting a connection. The action here would be to examine the reason for the disassociate sent from the indicated AP MAC (8A:15:14:B6:25:10). This would be done by examining internal logging/tracing from the AP.
### Resources
[802.11 Wireless Tools and Settings](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755892(v%3dws.10))<br>
[Understanding 802.1X authentication for wireless networks](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759077%28v%3dws.10%29)<br>
## Example ETW capture
<pre>
C:\tmp>netsh trace start wireless_dbg capture=yes overwrite=yes maxsize=4096 tracefile=c:\tmp\wireless.etl
Trace configuration:
-------------------------------------------------------------------
Status: Running
Trace File: C:\tmp\wireless.etl
Append: Off
Circular: On
Max Size: 4096 MB
Report: Off
C:\tmp>netsh trace stop
Correlating traces ... done
Merging traces ... done
Generating data collection ... done
The trace file and additional troubleshooting information have been compiled as "c:\tmp\wireless.cab".
File location = c:\tmp\wireless.etl
Tracing session was successfully stopped.
C:\tmp>netsh trace convert c:\tmp\wireless.etl
Input file: c:\tmp\wireless.etl
Dump file: c:\tmp\wireless.txt
Dump format: TXT
Report file: -
Generating dump ... done
C:\tmp>dir
Volume in drive C has no label.
Volume Serial Number is 58A8-7DE5
Directory of C:\tmp
01/09/2019 02:59 PM [DIR] .
01/09/2019 02:59 PM [DIR] ..
01/09/2019 02:59 PM 4,855,952 wireless.cab
01/09/2019 02:56 PM 2,752,512 wireless.etl
01/09/2019 02:59 PM 2,786,540 wireless.txt
3 File(s) 10,395,004 bytes
2 Dir(s) 46,648,332,288 bytes free
</pre>
## Wifi filter file
Copy and paste all the lines below and save them into a text file named "wifi.tat." Load the filter file into the TextAnalysisTool by clicking **File > Load Filters**.
```
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<TextAnalysisTool.NET version="2018-01-03" showOnlyFilteredLines="False">
<filters>
<filter enabled="n" excluding="n" description="" foreColor="000000" backColor="d3d3d3" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-OneX]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Unknown]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-EapHost]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[]***" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-Winsock-AFD]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-WinHttp]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-WebIO]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-Winsock-NameResolution]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-TCPIP]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-DNS-Client]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-NlaSvc]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-Iphlpsvc-Trace]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-DHCPv6-Client]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-Dhcp-Client]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-NCSI]" />
<filter enabled="y" excluding="n" description="" backColor="90ee90" type="matches_text" case_sensitive="n" regex="n" text="AuthMgr Transition" />
<filter enabled="y" excluding="n" description="" foreColor="0000ff" backColor="add8e6" type="matches_text" case_sensitive="n" regex="n" text="FSM transition" />
<filter enabled="y" excluding="n" description="" foreColor="000000" backColor="dda0dd" type="matches_text" case_sensitive="n" regex="n" text="SecMgr transition" />
<filter enabled="y" excluding="n" description="" foreColor="000000" backColor="f08080" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-NWiFi]" />
<filter enabled="y" excluding="n" description="" foreColor="000000" backColor="ffb6c1" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-WiFiNetworkManager]" />
<filter enabled="y" excluding="n" description="" foreColor="000000" backColor="dda0dd" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-WLAN-AutoConfig]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-NetworkProfile]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-WFP]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-WinINet]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[MSNT_SystemTrace]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="Security]Capability" />
</filters>
</TextAnalysisTool.NET>
```
The port down event is occurring due to a Disassociate coming Access Point as an indication to deny the connection. This could be due to invalid credentials, connection parameters, loss of signal/roaming, and various other reasons for aborting a connection. The action here would be to examine the reason for the disassociate sent from the indicated AP MAC (8A:15:14:B6:25:10). This would be done by examining internal logging/tracing from MAC device.
### **Resources**
### [802.11 Wireless Tools and Settings](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755892(v%3dws.10))
### [Understanding 802.1X authentication for wireless networks](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759077%28v%3dws.10%29)
## TextAnalysisTool example
In the following example, the **View** settings are configured to **Show Only Filtered Lines**.
![TAT filter example](images/tat.png)

50
windows/client-management/data-collection-for-802-authentication.md
View File

@ -1,78 +1,72 @@
---
title: Data Collection for Troubleshooting 802.1x Authentication
description: Data needed for reviewing 802.1x Authentication issues
keywords: troubleshooting, data collection, data, 802.1x authentication, authentication, data
title: Data collection for troubleshooting 802.1X authentication
description: Data needed for reviewing 802.1X Authentication issues
keywords: troubleshooting, data collection, data, 802.1X authentication, authentication, data
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
author: kaushika-msft
ms.localizationpriority: medium
ms.author: mikeblodge
ms.date: 10/29/2018
---
# Data Collection for Troubleshooting 802.1x Authentication
# Data collection for troubleshooting 802.1X authentication
Use the following steps to collect data that can be used to troubleshoot 802.1X authentication issues. When you have collected data, see [Advanced troubleshooting 802.1X authentication](advanced-troubleshooting-802-authentication.md).
## Capture wireless/wired functionality logs
Use the following steps to collect wireless and wired logs on Windows and Windows Server:
1. Create C:\MSLOG on the client machine to store captured logs.
2. Launch a command prompt as an administrator on the client machine, and run the following commands to start RAS trace log and Wireless/Wired scenario log.
2. Launch an elevated command prompt on the client machine, and run the following commands to start a RAS trace log and a Wireless/Wired scenario log.
**Wireless Windows 8.1 and Windows 10:**
```
netsh ras set tracing * enabled
netsh trace start scenario=wlan,wlan_wpp,wlan_dbg,wireless_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl
```
**Wireless Windows 7 and Windows 8:**
<br>**Wireless Windows 7 and Windows 8:**
```
netsh ras set tracing * enabled
netsh trace start scenario=wlan,wlan_wpp,wlan_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl
```
**Wired client, regardless of version**
<br>**Wired client, regardless of version**
```
netsh ras set tracing * enabled
netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_cli.etl
```
3. Run the following command to enable CAPI2 logging:
```
wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
```
4. Create C:\MSLOG on the NPS to store captured logs.
5. Launch a command prompt as an administrator on the NPS and run the following commands to start RAS trace log and Wireless/Wired scenario log:
5. Launch an elevated command prompt on the NPS server and run the following commands to start a RAS trace log and a Wireless/Wired scenario log:
**Windows Server 2012 R2, Windows Server 2016 wireless network:**
```
netsh ras set tracing * enabled
netsh trace start scenario=wlan,wlan_wpp,wlan_dbg,wireless_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl
```
**Windows Server 2008 R2, Windows Server 2012 wireless network**
<br>**Windows Server 2008 R2, Windows Server 2012 wireless network**
```
netsh ras set tracing * enabled
netsh trace start scenario=wlan,wlan_wpp,wlan_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl
```
**Wired network**
<br>**Wired network**
```
netsh ras set tracing * enabled
netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_nps.etl
```
6. Run the following command to enable CAPI2 logging:
```
wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
```
@ -82,16 +76,16 @@ Use the following steps to collect wireless and wired logs on Windows and Window
> When the mouse button is clicked, the cursor will blink in red while capturing a screen image.
```
psr /start /output c:\MSLOG\%computername%_psr.zip /maxsc 100
psr /start /output c:\MSLOG\%computername%_psr.zip /maxsc 100
```
8. Repro the issue.
9. Run the following command on the client PC to stop the PSR capturing:
```
psr /stop
psr /stop
```
10. Run the following commands from the command prompt on the NPS.
10. Run the following commands from the command prompt on the NPS server.
- To stop RAS trace log and wireless scenario log:
@ -134,14 +128,14 @@ Use the following steps to collect wireless and wired logs on Windows and Window
- C:\MSLOG\%COMPUTERNAME%_wireless_nps.cab (%COMPUTERNAME%_wired_nps.cab for wired scenario)
- All log files and folders in %Systemroot%\Tracing
## Save environmental and configuration information
## Save environment and configuration information
### On Windows client
1. Create C:\MSLOG to store captured logs.
2. Launch a command prompt as an administrator.
3. Run the following commands.
- Environmental information and Group Policies application status
- Environment information and Group Policy application status
```
gpresult /H C:\MSLOG\%COMPUTERNAME%_gpresult.htm
@ -299,7 +293,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window
4. Save the logs stored in C:\MSLOG.
### Certificate Authority (CA) (OPTIONAL)
## Certification Authority (CA) (OPTIONAL)
1. On a CA, launch a command prompt as an administrator. Create C:\MSLOG to store captured logs.
2. Run the following commands.
@ -378,7 +372,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window
```powershell
Import-Module ActiveDirectory
Get-ADObject -SearchBase ";CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"; -Filter \* -Properties \* | fl \* > C:\MSLOG\Get-ADObject_$Env:COMPUTERNAME.txt
Get-ADObject -SearchBase ";CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"; -Filter * -Properties * | fl * > C:\MSLOG\Get-ADObject_$Env:COMPUTERNAME.txt
```
7. Save the following logs.
- All files in C:\MSLOG on the CA

BIN
windows/client-management/images/capi.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 514 KiB

BIN
windows/client-management/images/etl.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 931 KiB

BIN
windows/client-management/images/eventviewer.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 514 KiB

After

Width:  |  Height:  |  Size: 424 KiB

BIN
windows/client-management/images/miniport.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.5 KiB

BIN
windows/client-management/images/msm.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.1 KiB

BIN
windows/client-management/images/msmdetails.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 22 KiB

After

Width:  |  Height:  |  Size: 12 KiB

BIN
windows/client-management/images/nm-adapters.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 98 KiB

BIN
windows/client-management/images/nm-start.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
windows/client-management/images/tat.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 177 KiB

BIN
windows/client-management/images/wcm.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.9 KiB

BIN
windows/client-management/images/wifi-stack.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.1 KiB

BIN
windows/client-management/images/wlan.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.8 KiB

7
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -1760,6 +1760,13 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
## Change history in MDM documentation
### January 2019
|New or updated topic | Description|
|--- | ---|
|[Policy CSP - Storage](policy-csp-storage.md)|Added the following new policies: AllowStorageSenseGlobal, ConfigStorageSenseGlobalCadence, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseRecycleBinCleanupThreshold, ConfigStorageSenseDownloadsCleanupThreshold, and ConfigStorageSenseCloudContentCleanupThreshold.|
|[SharedPC CSP](sharedpc-csp.md)|Updated values and supported operations.|
### December 2018
|New or updated topic | Description|

436
windows/client-management/mdm/policy-csp-storage.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/27/2018
ms.date: 01/14/2019
---
# Policy CSP - Storage
@ -24,6 +24,21 @@ ms.date: 08/27/2018
<dd>
<a href="#storage-allowdiskhealthmodelupdates">Storage/AllowDiskHealthModelUpdates</a>
</dd>
<dd>
<a href="#storage-allowstoragesenseglobal">Storage/AllowStorageSenseGlobal</a>
</dd>
<dd>
<a href="#storage-allowstoragesensetemporaryfilescleanup">Storage/AllowStorageSenseTemporaryFilesCleanup</a>
</dd>
<dd>
<a href="#storage-configstoragesensecloudcontentdehydrationthreshold">Storage/ConfigStorageSenseCloudContentDehydrationThreshold</a>
</dd>
<dd>
<a href="#storage-configstoragesenseglobalcadence">Storage/ConfigStorageSenseGlobalCadence</a>
</dd>
<dd>
<a href="#storage-configstoragesenserecyclebincleanupthreshold">Storage/ConfigStorageSenseRecycleBinCleanupThreshold</a>
</dd>
<dd>
<a href="#storage-enhancedstoragedevices">Storage/EnhancedStorageDevices</a>
</dd>
@ -73,8 +88,6 @@ ms.date: 08/27/2018
<!--Description-->
Added in Windows 10, version 1709. Allows disk health model updates.
Value type is integer.
<!--/Description-->
@ -97,6 +110,420 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="storage-allowstoragesenseglobal"></a>**Storage/AllowStorageSenseGlobal**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Storage Sense can automatically clean some of the users files to free up disk space. By default, Storage Sense is automatically turned on when the machine runs into low disk space and is set to run whenever the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the Storage/ConfigStorageSenseGlobalCadence group policy.
If you enable this policy setting without setting a cadence, Storage Sense is turned on for the machine with the default cadence of "during low free disk space." Users cannot disable Storage Sense, but they can adjust the cadence (unless you also configure the Storage/ConfigStorageSenseGlobalCadence group policy).
If you disable this policy setting, the machine will turn off Storage Sense. Users cannot enable Storage Sense.
If you do not configure this policy setting, Storage Sense is turned off by default until the user runs into low disk space or the user enables it manually. Users can configure this setting in Storage settings.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow Storage Sense*
- GP name: *SS_AllowStorageSenseGlobal*
- GP path: *SOFTWARE/Policies/Microsoft/Windows/StorageSense*
- GP ADMX file name: *StorageSense.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="storage-allowstoragesensetemporaryfilescleanup"></a>**Storage/AllowStorageSenseTemporaryFilesCleanup**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
When Storage Sense runs, it can delete the users temporary files that are not in use.
If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect.
If you enable this policy setting, Storage Sense will delete the users temporary files that are not in use. Users cannot disable this setting in Storage settings.
If you disable this policy setting, Storage Sense will not delete the users temporary files. Users cannot enable this setting in Storage settings.
If you do not configure this policy setting, Storage Sense will delete the users temporary files by default. Users can configure this setting in Storage settings.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow Storage Sense Temporary Files cleanup*
- GP name: *SS_AllowStorageSenseTemporaryFilesCleanup*
- GP path: *System/StorageSense*
- GP ADMX file name: *StorageSense.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="storage-configstoragesensecloudcontentdehydrationthreshold"></a>**Storage/ConfigStorageSenseCloudContentDehydrationThreshold**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
When Storage Sense runs, it can dehydrate cloud-backed content that hasnt been opened in a certain amount of days.
If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect.
If you enable this policy setting, you must provide the number of days since a cloud-backed file has been opened before Storage Sense will dehydrate it. Supported values are: 0365.
If you set this value to zero, Storage Sense will not dehydrate any cloud-backed content. The default value is 0, which never dehydrates cloud-backed content.
If you disable or do not configure this policy setting, then Storage Sense will not dehydrate any cloud-backed content by default. Users can configure this setting in Storage settings.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Configure Storage Sense Cloud Content dehydration threshold*
- GP name: *SS_ConfigStorageSenseCloudContentDehydrationThreshold*
- GP path: *System/StorageSense*
- GP ADMX file name: *StorageSense.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="storage-configstoragesensedownloadscleanupthreshold"></a>**Storage/ConfigStorageSenseDownloadsCleanupThreshold**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
When Storage Sense runs, it can delete files in the users Downloads folder if they have been there for over a certain amount of days.
If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect.
If you enable this policy setting, you must provide the minimum age threshold (in days) of a file in the Downloads folder before Storage Sense will delete it. Supported values are: 0365.
If you set this value to zero, Storage Sense will not delete files in the users Downloads folder. The default is 0, or never deleting files in the Downloads folder.
If you disable or do not configure this policy setting, then Storage Sense will not delete files in the users Downloads folder by default. Users can configure this setting in Storage settings.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Configure Storage Storage Downloads cleanup threshold*
- GP name: *SS_ConfigStorageSenseDownloadsCleanupThreshold*
- GP path: *System/StorageSense*
- GP ADMX file name: *StorageSense.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="storage-configstoragesenseglobalcadence"></a>**Storage/ConfigStorageSenseGlobalCadence**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Storage Sense can automatically clean some of the users files to free up disk space.
If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect.
If you enable this policy setting, you must provide the desired Storage Sense cadence.
The following are supported options:
- 1 Daily
- 7 Weekly
- 30 Monthly
- 0 During low free disk space
The default is 0 (during low free disk space).
If you do not configure this policy setting, then the Storage Sense cadence is set to “during low free disk space” by default. Users can configure this setting in Storage settings.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Configure Storage Sense cadence*
- GP name: *RemovableDisks_DenyWrite_Access_2*
- GP path: *SOFTWARE/Policies/Microsoft/Windows/StorageSense*
- GP ADMX file name: *StorageSense.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="storage-configstoragesenserecyclebincleanupthreshold"></a>**Storage/ConfigStorageSenseRecycleBinCleanupThreshold**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
When Storage Sense runs, it can delete files in the users Recycle Bin if they have been there for over a certain amount of days.
If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect.
If you enable this policy setting, you must provide the minimum age threshold (in days) of a file in the Recycle Bin before Storage Sense will delete it. Supported values are: 0365.
If you set this value to zero, Storage Sense will not delete files in the users Recycle Bin. The default is 30 days.
If you disable or do not configure this policy setting, Storage Sense will delete files in the users Recycle Bin that have been there for over 30 days by default. Users can configure this setting in Storage settings.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Configure Storage Sense Recycle Bin cleanup threshold*
- GP name: *SS_ConfigStorageSenseRecycleBinCleanupThreshold*
- GP path: *System/StorageSense*
- GP ADMX file name: *StorageSense.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="storage-enhancedstoragedevices"></a>**Storage/EnhancedStorageDevices**
@ -221,6 +648,9 @@ ADMX Info:
<!--/Validation-->
<!--/Policy-->
<!--/Policies-->
<hr/>
Footnote:

61
windows/client-management/mdm/sharedpc-csp.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 06/26/2017
ms.date: 01/16/2019
---
# SharedPC CSP
@ -27,18 +27,18 @@ The supported operation is Get.
<a href="" id="enablesharedpcmode"></a>**EnableSharedPCMode**
A boolean value that specifies whether Shared PC mode is enabled.
The supported operations are Get and Replace.
The supported operations are Add, Get, Replace, and Delete.
Setting this value to True triggers the action to configure a device to Shared PC mode.
The default value is False.
The default value is Not Configured and SharedPC mode is not enabled.
<a href="" id="setedupolicies"></a>**SetEduPolicies**
A boolean value that specifies whether the policies for education environment are enabled. Setting this value to true triggers the action to configure a device as education environment.
The supported operations are Get and Replace.
The supported operations are Add, Get, Replace, and Delete.
The default value changed to false in Windows 10, version 1703. This node needs to be configured independent of EnableSharedPCMode. In Windows 10, version 1607, the default value is true and education environment is automatically configured when SharedPC mode is configured.
The default value changed to false in Windows 10, version 1703. The default value is Not Configured and this node needs to be configured independent of EnableSharedPCMode. In Windows 10, version 1607, the value is set to True and the education environment is automatically configured when SharedPC mode is configured.
<a href="" id="setpowerpolicies"></a>**SetPowerPolicies**
Optional. A boolean value that specifies that the power policies should be set when configuring SharedPC mode.
@ -46,9 +46,9 @@ Optional. A boolean value that specifies that the power policies should be set w
> [!Note]
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
The supported operations are Get and Replace.
The supported operations are Add, Get, Replace, and Delete.
The default value is True.
The default value is Not Configured and the effective power settings are determined by the OS's default power settings. Its value in the SharedPC provisioning package is True.
<a href="" id="maintenancestarttime"></a>**MaintenanceStartTime**
Optional. An integer value that specifies the daily start time of maintenance hour. Given in minutes from midnight. The range is 0-1440.
@ -56,9 +56,9 @@ Optional. An integer value that specifies the daily start time of maintenance ho
> [!Note]
>  If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
The supported operations are Get and Replace.
The supported operations are Add, Get, Replace, and Delete.
The default value is 0 (12 AM).
The default value is Not Configured and its value in the SharedPC provisioning package is 0 (12 AM).
<a href="" id="signinonresume"></a>**SignInOnResume**
Optional. A boolean value that, when set to True, requires sign in whenever the device wakes up from sleep mode.
@ -66,9 +66,9 @@ Optional. A boolean value that, when set to True, requires sign in whenever the
> [!Note]
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
The supported operations are Get and Replace.
The supported operations are Add, Get, Replace, and Delete.
The default value is True.
The default value is Not Configured and its value in the SharedPC provisioning package is True.
<a href="" id="sleeptimeout"></a>**SleepTimeout**
The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps. Default is 5 minutes. This node is optional.
@ -76,9 +76,9 @@ The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps.
> [!Note]
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
The supported operations are Get and Replace.
The supported operations are Add, Get, Replace, and Delete.
The default value changed to 300 in Windows 10, version 1703. The default value is 3600 in Windows 10, version 1607.
The default value is Not Configured, and effective behavior is determined by the OS's default settings. Its value in the SharedPC provisioning package for Windows 10, version 1703 is 300, and in Windows 10, version 1607 is 3600.
<a href="" id="enableaccountmanager"></a>**EnableAccountManager**
A boolean that enables the account manager for shared PC mode.
@ -86,9 +86,9 @@ A boolean that enables the account manager for shared PC mode.
> [!Note]
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
The supported operations are Get and Replace.
The supported operations are Add, Get, Replace, and Delete.
The default value is True.
The default value is Not Configured and its value in the SharedPC provisioning package is True.
<a href="" id="accountmodel"></a>**AccountModel**
Configures which type of accounts are allowed to use the PC.
@ -96,7 +96,7 @@ Configures which type of accounts are allowed to use the PC.
> [!Note]
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
The supported operations are Get and Replace.
The supported operations are Add, Get, Replace, and Delete.
The following list shows the supported values:
@ -104,13 +104,15 @@ The following list shows the supported values:
- 1 - Only domain-joined accounts are enabled.
- 2 - Domain-joined and guest accounts are allowed.
Its value in the SharedPC provisioning package is 1 or 2.
<a href="" id="deletionpolicy"></a>**DeletionPolicy**
Configures when accounts are deleted.
> [!Note]
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
The supported operations are Get and Replace.
The supported operations are Add, Get, Replace, and Delete.
For Windows 10, version 1607, here is the list shows the supported values:
@ -123,17 +125,19 @@ For Windows 10, version 1703, here is the list of supported values:
- 1 - Delete at disk space threshold
- 2 - Delete at disk space threshold and inactive threshold
The default value is Not Configured. Its value in the SharedPC provisioning package is 1 or 2.
<a href="" id="diskleveldeletion"></a>**DiskLevelDeletion**
Sets the percentage of disk space remaining on a PC before cached accounts will be deleted to free disk space. Accounts that have been inactive the longest will be deleted first.
> [!Note]
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
The default value is 25.
The default value is Not Configured. Its default value in the SharedPC provisioning package is 25.
For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevelDeletion** number is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless whether the PC is actively in use or not.
For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevelDeletion** number is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a daily maintenance period, accounts will be deleted (oldest last used first) when the system is idle until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under half of the deletion threshold and disk space is very low, regardless of whether the PC is actively in use or not.
The supported operations are Get and Replace.
The supported operations are Add, Get, Replace, and Delete.
<a href="" id="disklevelcaching"></a>**DiskLevelCaching**
Sets the percentage of available disk space a PC should have before it stops deleting cached accounts.
@ -141,15 +145,16 @@ Sets the percentage of available disk space a PC should have before it stops del
> [!Note]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
The default value is 50.
The default value is Not Configured. The default value in the SharedPC provisioning package is 25.
For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevelDeletion** number is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless whether the PC is actively in use or not.
The supported operations are Add, Get, Replace, and Delete.
<a href="" id="restrictlocalstorage"></a>**RestrictLocalStorage**
Added in Windows 10, version 1703. Restricts the user from using local storage. This node is optional.
Default value is true Value type is bool. Supported operations are Get and Replace.
The default value is Not Configured and behavior is no such restriction applied. Value type is bool. Supported operations are Add, Get, Replace, and Delete. Default in SharedPC provisioning package is False.
> [!Note]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
@ -157,7 +162,7 @@ Default value is true Value type is bool. Supported operations are Get and Repla
<a href="" id="kioskmodeaumid"></a>**KioskModeAUMID**
Added in Windows 10, version 1703. Specifies the AUMID of the app to use with assigned access. This node is optional.
Value type is string. Supported operations are Get and Replace.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
> [!Note]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
@ -165,7 +170,7 @@ Value type is string. Supported operations are Get and Replace.
<a href="" id="kioskmodeusertiledisplaytext"></a>**KioskModeUserTileDisplayText**
Added in Windows 10, version 1703. Specifies the display text for the account shown on the sign-in screen which launches the app specified by KioskModeAUMID. This node is optional.
Value type is string. Supported operations are Get and Replace.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
> [!Note]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
@ -173,7 +178,9 @@ Value type is string. Supported operations are Get and Replace.
<a href="" id="inactivethreshold"></a>**InactiveThreshold**
Added in Windows 10, version 1703. Accounts will start being deleted when they have not been logged on during the specified period, given as number of days.
Default value is 30. Value type is integer. Supported operations are Get and Replace.
The default value is Not Configured. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
The default in the SharedPC provisioning package is 30.
<a href="" id="maxpagefilesizemb"></a>**MaxPageFileSizeMB**
Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applies only to systems with less than 32 GB storage and at least 3 GB of RAM. This node is optional.
@ -181,9 +188,9 @@ Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applie
> [!Note]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
Default value is 1024. Value type is integer. Supported operations are Get and Replace.
Default value is Not Configured. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
The default in the SharedPC provisioning package is 1024.
## Related topics

32
windows/client-management/troubleshoot-networking.md
View File

@ -1,20 +1,34 @@
---
title: Advanced troubleshooting for Windows networking issues
description: Learn how to troubleshoot networking issues.
title: Advanced troubleshooting for Windows networking
description: Learn how to troubleshoot networking
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
author: kaushika-msft
ms.localizationpriority: medium
ms.author: kaushika
ms.date:
---
# Advanced troubleshooting for Windows networking issues
# Advanced troubleshooting for Windows networking
In these topics, you will learn how to troubleshoot common problems related to Windows networking.
The following topics are available to help you troubleshoot common problems related to Windows networking.
- [Advanced troubleshooting Wireless Network](advanced-troubleshooting-wireless-network-connectivity.md)
- [Data collection for troubleshooting 802.1x authentication](data-collection-for-802-authentication.md)
- [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md)
- [Advanced troubleshooting for TCP/IP issues](troubleshoot-tcpip.md)
- [Advanced troubleshooting for wireless network connectivity](advanced-troubleshooting-wireless-network-connectivity.md)
- [Advanced troubleshooting 802.1X authentication](advanced-troubleshooting-802-authentication.md)
- [Data collection for troubleshooting 802.1X authentication](data-collection-for-802-authentication.md)
- [Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md)
- [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md)
- [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md)
- [Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md)
- [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md)
## Concepts and technical references
[802.1X authenticated wired access overview](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831831(v=ws.11))<br>
[802.1X authenticated wireless access overview](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994700(v%3dws.11))<br>
[Wireless cccess deployment overview](https://docs.microsoft.com/windows-server/networking/core-network-guide/cncg/wireless/b-wireless-access-deploy-overview)<br>
[TCP/IP technical reference](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd379473(v=ws.10))<br>
[Network Monitor](https://docs.microsoft.com/windows/desktop/netmon2/network-monitor)<br>
[RPC and the network](https://docs.microsoft.com/windows/desktop/rpc/rpc-and-the-network)<br>
[How RPC works](https://docs.microsoft.com/windows/desktop/rpc/how-rpc-works)<br>
[NPS reason codes](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v=ws.10))<br>

24
windows/client-management/troubleshoot-tcpip-netmon.md
View File

@ -16,29 +16,27 @@ In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is
To get started, [download and run NM34_x64.exe](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image.
![A view of the properties for the adapter](images/tcp-ts-1.png)
![Adapters](images/nm-adapters.png)
When the driver gets hooked to the network interface card (NIC) during installation, the NIC is reinitialized, which might cause a brief network glitch.
**To capture traffic**
1. Click **Start** and enter **Netmon**.
1. Run netmon in an elevated status by choosing Run as Administrator.
2. For **netmon run command**,select **Run as administrator**.
![Image of Start search results for Netmon](images/nm-start.png)
![Image of Start search results for Netmon](images/tcp-ts-3.png)
3. Network Monitor opens with all network adapters displayed. Select **New Capture**, and then select **Start**.
2. Network Monitor opens with all network adapters displayed. Select the network adapters where you want to capture traffic, click **New Capture**, and then click **Start**.
![Image of the New Capture option on menu](images/tcp-ts-4.png)
4. Reproduce the issue, and you will see that Network Monitor grabs the packets on the wire.
3. Reproduce the issue, and you will see that Network Monitor grabs the packets on the wire.
![Frame summary of network packets](images/tcp-ts-5.png)
5. Select **Stop**, and go to **File > Save as** to save the results. By default, the file will be saved as a ".cap" file.
4. Select **Stop**, and go to **File > Save as** to save the results. By default, the file will be saved as a ".cap" file.
The saved file has captured all the traffic that is flowing to and from the network adapters of this machine. However, your interest is only to look into the traffic/packets that are related to the specific connectivity problem you are facing. So you will need to filter the network capture to see only the related traffic.
The saved file has captured all the traffic that is flowing to and from the selected network adapters on the local computer. However, your interest is only to look into the traffic/packets that are related to the specific connectivity problem you are facing. So you will need to filter the network capture to see only the related traffic.
**Commonly used filters**
@ -56,5 +54,11 @@ The saved file has captured all the traffic that is flowing to and from the netw
Network traces which are collected using the **netsh** commands built in to Windows are of the extension "ETL". However, these ETL files can be opened using Network Monitor for further analysis.
## More information
[Intro to Filtering with Network Monitor 3.0](https://blogs.technet.microsoft.com/netmon/2006/10/17/intro-to-filtering-with-network-monitor-3-0/)<br>
[Network Monitor Filter Examples](https://blogs.technet.microsoft.com/rmilne/2016/08/11/network-monitor-filter-examples/)<br>
[Network Monitor Wireless Filtering](https://social.technet.microsoft.com/wiki/contents/articles/1900.network-monitor-wireless-filtering.aspx)<br>
[Network Monitor TCP Filtering](https://social.technet.microsoft.com/wiki/contents/articles/1134.network-monitor-tcp-filtering.aspx)<br>
[Network Monitor Conversation Filtering](https://social.technet.microsoft.com/wiki/contents/articles/1829.network-monitor-conversation-filtering.aspx)<br>
[How to setup and collect network capture using Network Monitor tool](https://blogs.technet.microsoft.com/msindiasupp/2011/08/10/how-to-setup-and-collect-network-capture-using-network-monitor-tool/)<br>

29
windows/client-management/windows-10-support-solutions.md
View File

@ -7,12 +7,34 @@ ms.sitesec: library
ms.author: elizapo
author: kaushika-msft
ms.localizationpriority: medium
ms.date: 11/08/2018
---
# Top support solutions for Windows 10
# Troubleshoot Windows 10 clients
This section contains advanced troubleshooting topics and links to help you resolve issues with Windows 10 clients. Additional topics will be added as they become available.
## Troubleshooting support topics
- [Advanced troubleshooting for Windows networking](troubleshoot-networking.md)<br>
- [Advanced troubleshooting wireless network connectivity](advanced-troubleshooting-wireless-network-connectivity.md)<br>
- [Advanced troubleshooting 802.1X authentication](advanced-troubleshooting-802-authentication.md)<br>
- [Data collection for troubleshooting 802.1X authentication](data-collection-for-802-authentication.md)<br>
- [Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md)<br>
- [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md)<br>
- [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md)<br>
- [Troubleshoot port exhaustion](troubleshoot-tcpip-port-exhaust.md)<br>
- [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md)<br>
- [Advanced troubleshooting for Windows startup](troubleshoot-windows-startup.md)<br>
- [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)<br>
- [Advanced troubleshooting for Windows-based computer issues](troubleshoot-windows-freeze.md)<br>
- [Advanced troubleshooting for stop errors or blue screen errors](troubleshoot-stop-errors.md)<br>
- [Advanced troubleshooting for stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md)<br>
## Windows 10 update history
Microsoft regularly releases both updates and solutions for Windows 10. To ensure your computers can receive future updates, including security updates, it's important to keep them updated. Check out the following links for a complete list of released updates:
- [Windows 10 version 1809 update history](https://support.microsoft.com/help/4464619)
- [Windows 10 version 1803 update history](https://support.microsoft.com/help/4099479)
- [Windows 10 version 1709 update history](https://support.microsoft.com/help/4043454)
- [Windows 10 Version 1703 update history](https://support.microsoft.com/help/4018124)
@ -23,6 +45,7 @@ Microsoft regularly releases both updates and solutions for Windows 10. To ensur
These are the top Microsoft Support solutions for the most common issues experienced when using Windows 10 in an enterprise or IT pro environment. The links below include links to KB articles, updates, and library articles.
## Solutions related to installing Windows Updates
- [How does Windows Update work](https://docs.microsoft.com/en-us/windows/deployment/update/how-windows-update-works)
- [Windows Update log files](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-logs)
- [Windows Update troubleshooting](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-troubleshooting)
@ -34,7 +57,7 @@ These are the top Microsoft Support solutions for the most common issues experie
- [Quick Fixes](https://docs.microsoft.com/en-us/windows/deployment/upgrade/quick-fixes)
- [Troubleshooting upgrade errors](https://docs.microsoft.com/en-us/windows/deployment/upgrade/troubleshoot-upgrade-errors)
- [Resolution procedures](https://docs.microsoft.com/en-us/windows/deployment/upgrade/resolution-procedures)
- ["0xc1800118" error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/en-in/help/3194588/0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus)
- [0xc1800118 error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/en-in/help/3194588/0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus)
- [0xC1900101 error when Windows 10 upgrade fails after the second system restart](https://support.microsoft.com/en-in/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system)
## Solutions related to BitLocker

16
windows/deployment/TOC.md
View File

@ -2,7 +2,7 @@
## [Deploy Windows 10 with Microsoft 365](deploy-m365.md)
## [What's new in Windows 10 deployment](deploy-whats-new.md)
## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
## [Windows Autopilot](windows-autopilot/windows-autopilot.md)
## [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md)
### [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md)
### [Configure VDA for Subscription Activation](vda-subscription-activation.md)
@ -19,13 +19,14 @@
## [Deploy Windows 10](deploy.md)
### [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md)
### [Windows 10 in S mode](s-mode.md)
#### [Switch to Windows 10 Pro/Enterprise from S mode](windows-10-pro-in-s-mode.md)
### [Windows Autopilot](windows-autopilot/windows-autopilot.md)
### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md)
### [Windows 10 volume license media](windows-10-media.md)
### [Windows 10 in S mode](s-mode.md)
#### [Switch to Windows 10 Pro/Enterprise from S mode](windows-10-pro-in-s-mode.md)
### [Windows 10 deployment test lab](windows-10-poc.md)
#### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
#### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
@ -212,9 +213,10 @@
### [Change history for deploy Windows 10](change-history-for-deploy-windows-10.md)
## [Update Windows 10](update/index.md)
### [Quick guide to Windows as a service](update/waas-quick-start.md)
#### [Servicing stack updates](update/servicing-stack-updates.md)
### [Overview of Windows as a service](update/waas-overview.md)
### [Windows as a service](update/windows-as-a-service.md)
#### [Quick guide to Windows as a service](update/waas-quick-start.md)
##### [Servicing stack updates](update/servicing-stack-updates.md)
#### [Overview of Windows as a service](update/waas-overview.md)
### [Understand how servicing differs in Windows 10](update/waas-servicing-differences.md)
### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md)
### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md)

2
windows/deployment/deploy-m365.md
View File

@ -59,7 +59,7 @@ Examples of these two deployment advisors are shown below.
## Related Topics
[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)<br>
[Modern Destop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home)
[Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home)

22
windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
View File

@ -76,7 +76,7 @@ This section will show you how to populate the MDT deployment share with the Win
MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you have created. In this case, you create a reference image, so you add the full source setup files from Microsoft.
>[!OTE]  
>[!NOTE]  
>Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM.
 
### Add Windows 10 Enterprise x64 (full source)
@ -134,8 +134,8 @@ You also can customize the Office installation using a Config.xml file. But we r
Figure 5. The Install - Microsoft Office 2013 Pro Plus - x86 application properties.
**Note**  
If you don't see the Office Products tab, verify that you are using a volume license version of Office. If you are deploying Office 365, you need to download the Admin folder from Microsoft.
>[!NOTE] 
>If you don't see the Office Products tab, verify that you are using a volume license version of Office. If you are deploying Office 365, you need to download the Admin folder from Microsoft.
 
3. In the Office Customization Tool dialog box, select the Create a new Setup customization file for the following product option, select the Microsoft Office Professional Plus 2013 (32-bit) product, and click OK.
4. Use the following settings to configure the Office 2013 setup to be fully unattended:
@ -156,8 +156,8 @@ You also can customize the Office installation using a Config.xml file. But we r
- In the **Microsoft Office 2013** node, expand **Privacy**, select **Trust Center**, and enable the Disable Opt-in Wizard on first run setting.
5. From the **File** menu, select **Save**, and save the configuration as 0\_Office2013ProPlusx86.msp in the **E:\\MDTBuildLab\\Applications\\Install - Microsoft Office 2013 Pro Plus - x86\\Updates** folder.
**Note**  
The reason for naming the file with a 0 (zero) at the beginning is that the Updates folder also handles Microsoft Office updates, and they are installed in alphabetical order. The Office 2013 setup works best if the customization file is installed before any updates.
>[!NOTE] 
>The reason for naming the file with a 0 (zero) at the beginning is that the Updates folder also handles Microsoft Office updates, and they are installed in alphabetical order. The Office 2013 setup works best if the customization file is installed before any updates.
 
6. Close the Office Customization Tool, click Yes in the dialog box, and in the **Install - Microsoft Office 2013 Pro Plus - x86 Properties** window, click **OK**.
@ -333,8 +333,8 @@ The steps below walk you through the process of editing the Windows 10 referenc
2. Select the operating system for which roles are to be installed: Windows 10
3. Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0)
**Important**  
This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It is installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed.
>[!IMPORTANT]
>This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It is installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed.
 
![figure 7](../images/fig8-cust-tasks.png)
@ -456,8 +456,8 @@ For that reason, add only a minimal set of rules to Bootstrap.ini, such as which
Figure 12. The boot image rules for the MDT Build Lab deployment share.
**Note**  
For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it is acceptable to do so in this situation.
>[!NOTE]  
>For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it is acceptable to do so in this situation.
 
4. In the **Windows PE** tab, in the **Platform** drop-down list, select **x86**.
5. In the **Lite Touch Boot Image Settings** area, configure the following settings:
@ -514,8 +514,8 @@ So, what are these settings?
- **DeployRoot.** This is the location of the deployment share. Normally, this value is set by MDT, but you need to update the DeployRoot value if you move to another server or other share. If you don't specify a value, the Windows Deployment Wizard prompts you for a location.
- **UserDomain, UserID, and UserPassword.** These values are used for automatic log on to the deployment share. Again, if they are not specified, the wizard prompts you.
**Note**  
Caution is advised. These values are stored in clear text on the boot image. Use them only for the MDT Build Lab deployment share and not for the MDT Production deployment share that you learn to create in the next topic.
>[!WARNING]  
>Caution is advised. These values are stored in clear text on the boot image. Use them only for the MDT Build Lab deployment share and not for the MDT Production deployment share that you learn to create in the next topic.
 
- **SkipBDDWelcome.** Even if it is nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard.

1
windows/deployment/index.yml
View File

@ -49,6 +49,7 @@ sections:
<tr><td>[Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) </td><td>Check out the new Modern Deskop Deployment Center and discover content to help you with your Windows 10 and Office 365 ProPlus deployments.</td>
<tr><td>[What's new in Windows 10 deployment](deploy-whats-new.md) </td><td>See this topic for a summary of new features and some recent changes related to deploying Windows 10 in your organization. </td>
<tr><td>[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) </td><td>To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. </td>
<tr><td>[Windows Autopilot](windows-autopilot/windows-autopilot.md) </td><td>Windows Autopilot enables an IT department to pre-configure new devices and repurpose existing devices with a simple process that requires little to no infrastructure.</td>
<tr><td>[Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) </td><td>Windows 10 Enterprise has traditionally been sold as on premises software, however, with Windows 10 version 1703 (also known as the Creators Update), both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as true online services via subscription. You can move from Windows 10 Pro to Windows 10 Enterprise with no keys and no reboots. If you are using a Cloud Service Providers (CSP) see the related topic: [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). </td>
<tr><td>[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) </td><td>This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. </td>
</table>

12
windows/deployment/update/update-compliance-monitor.md
View File

@ -34,12 +34,12 @@ See the following topics in this guide for detailed information about configurin
## Update Compliance architecture
The Update Compliance architecture and data flow is summarized by the following five-step process:
The Update Compliance architecture and data flow is summarized by the following four-step process:
**(1)** User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.<BR>
**(2)** Diagnostic data is analyzed by the Update Compliance Data Service.<BR>
**(3)** Diagnostic data is pushed from the Update Compliance Data Service to your Azure Monitor workspace.<BR>
**(4)** Diagnostic data is available in the Update Compliance solution.<BR>
1. User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.<BR>
2. Diagnostic data is analyzed by the Update Compliance Data Service.<BR>
3. Diagnostic data is pushed from the Update Compliance Data Service to your Azure Monitor workspace.<BR>
4. Diagnostic data is available in the Update Compliance solution.<BR>
>[!NOTE]
@ -51,4 +51,4 @@ The Update Compliance architecture and data flow is summarized by the following
## Related topics
[Get started with Update Compliance](update-compliance-get-started.md)<BR>
[Use Update Compliance to monitor Windows Updates](update-compliance-using.md)
[Use Update Compliance to monitor Windows Updates](update-compliance-using.md)

12
windows/deployment/update/windows-as-a-service.md
View File

@ -6,7 +6,7 @@ ms.topic: landing-page
ms.manager: elizapo
author: lizap
ms.author: elizapo
ms.date: 12/19/2018
ms.date: 01/17/2019
ms.localizationpriority: high
---
# Windows as a service
@ -17,14 +17,15 @@ Find the tools and resources you need to help deploy and support Windows as a se
Find the latest and greatest news on Windows 10 deployment and servicing.
**Windows 10 monthly updates**
> [!VIDEO https://www.youtube-nocookie.com/embed/BwB10v55WSk]
**Working to WIndows updates clear and transparent**
> [!VIDEO https://www.youtube-nocookie.com/embed/u5P20y39DrA]
Windows 10 is the most secure version of Windows yet. Learn what updates we release and when we release them, so you understand the efforts we take to keep your digital life safe and secure.
Everyone wins when transparency is a top priority. We want you to know when updates are available, as well as alert you to any potential issues you may encounter during or after you install an update. The Windows update history page is for anyone looking to gain an immediate, precise understanding of particular Windows update issues.
The latest news:
<ul compact style="list-style: none">
<li><a href="https://blogs.windows.com/windowsexperience/2019/01/15/application-compatibility-in-the-windows-ecosystem/#A8urpp1QEp6DHzmP.97">Application compatibility in the Windows ecosystem</a> - January 15, 2019</li>
<li><a href="https://blogs.windows.com/windowsexperience/2018/12/10/windows-monthly-security-and-quality-updates-overview/#UJJpisSpvyLokbHm.97">Windows monthly security and quality updates overview</a> - January 10, 2019</li>
<li><a href="https://blogs.windows.com/windowsexperience/2018/12/19/driver-quality-in-the-windows-ecosystem/#ktuodfovWAMAkssM.97">Driver quality in the Windows ecosystem</a> - December 19, 2018</li>
<li><a href="http://m365mdp.mpsn.libsynpro.com/001-windows-10-monthly-quality-updates">Modern Desktop Podcast - Episode 001 Windows 10 Monthly Quality Updates</a> - December 18, 2018</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Measuring-Delivery-Optimization-and-its-impact-to-your-network/ba-p/301809#M409">Measuring Delivery Optimization and its impact to your network</a> - December 13, 2018</li>
@ -41,6 +42,7 @@ The latest news:
<li><a href="https://www.microsoft.com/en-us/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop/">Helping customers shift to a modern desktop</a> - September 6, 2018</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-amp-Windows-Analytics-a-real-world/ba-p/242417#M228">Windows Update for Business & Windows Analytics: a real-world experience</a> - September 5, 2018</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-next-for-Windows-10-and-Windows-Server-quality-updates/ba-p/229461">What's next for Windows 10 and Windows Server quality updates</a> - August 16, 2018
<li><a href="https://www.youtube-nocookie.com/watch/BwB10v55WSk">Windows 10 monthly updates</a> - August 1, 2018 (**video**)</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376">Windows 10 update servicing cadence</a> - August 1, 2018
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-quality-updates-explained-amp-the-end-of-delta/ba-p/214426">Windows 10 quality updates explained and the end of delta updates</a> - July 11, 2018
<li><a href="https://blogs.windows.com/windowsexperience/2018/06/14/ai-powers-windows-10-april-2018-update-rollout/#67LrSyWdwgTyciSG.97">AI Powers Windows 10 April 2018 Update Rollout</a> - June 14, 2018

2
windows/deployment/upgrade/upgrade-readiness-deployment-script.md
View File

@ -129,7 +129,7 @@ Error creating or updating registry key: **CommercialId** at **HKLM:\SOFTWARE\Mi
| 42 - Function **StartImpersonatingLoggedOnUser** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
| 43 - Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
| 44 - Diagtrack.dll version is old, so Auth Proxy will not work. | Update the device using Windows Update or Windows Server Update Services. |
| 45 - Diagrack.dll was not found. | Update the device using Windows Update or Windows Server Update Services. |
| 45 - Diagtrack.dll was not found. | Update the device using Windows Update or Windows Server Update Services. |
| 48 - **CommercialID** mentioned in RunConfig.bat should be a GUID. | Copy the commercialID from your workspace. To find the commercialID, in the OMS portal click **Upgrade Readiness > Settings**. |
| 50 - Diagtrack Service is not running. | The Diagtrack service is required to send data to Microsoft. Enable and run the "Connected User Experiences and Telemetry" service. |
| 51 - RunCensus failed with an unexpected exception. | RunCensus explitly runs the process used to collect device information. The method failed with an unexpected exception. Check the ExceptionHResult and ExceptionMessage for more details. |

1
windows/deployment/windows-autopilot/TOC.md
View File

@ -18,6 +18,7 @@
#### [Adding devices](add-devices.md)
#### [Creating profiles](profiles.md)
#### [Enrollment status page](enrollment-status.md)
#### [BitLocker encryption](bitlocker.md)
### [Administering Autopilot via Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
### [Administering Autopilot via Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
### [Administering Autopilot via Microsoft 365 Business & Office 365 Admin portal](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)

45
windows/deployment/windows-autopilot/bitlocker.md Normal file
View File

@ -0,0 +1,45 @@
---
title: Setting the BitLocker encryption algorithm for Autopilot devices
description: Microsoft Intune provides a comprehensive set of configuration options to manage BitLocker on Windows 10 devices.
keywords: Autopilot, BitLocker, encryption, 256-bit, Windows 10
ms.prod: w10
ms.technology: Windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
ms.localizationpriority: medium
author: greg-lindsay
ms.author: greg-lindsay
---
# Setting the BitLocker encryption algorithm for Autopilot devices
With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. This ensures that the default encrytion algorithm is not applied automatically when this is not the desired setting. Other BitLocker policies that must be applied prior to encryption can also be delivered before automatic BitLocker encryption begins.
The BitLocker encryption algorithm is used when BitLocker is first enabled, and sets the strength to which full volume encryption should occur. Available encryption algorithms are: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit or XTS-AES 256-bit encryption. The default value is XTS-AES 128-bit encryption. See [BitLocker CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp) for information about the recommended encryption algorithms to use.
To ensure the desired BitLocker encryption algorithm is set before automatic encryption occurs for Autopilot devices:
1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm.
2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group.
- **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users.
3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices.
- **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts.
An example of Microsoft Intune Windows Encryption settings is shown below.
![BitLocker encryption settings](images/bitlocker-encryption.png)
Note that a device which is encrypted automatically will need to be decrypted prior to changing the encyption algorithm.
The settings are available under Device Configuration -> Profiles -> Create profile -> Platform = Windows 10 and later, Profile type = Endpoint protection -> Configure -> Windows Encryption -> BitLocker base settings, Configure encryption methods = Enable.
Note: It is also recommended to set Windows Encryption -> Windows Settings -> Encrypt = **Require**.
## Requirements
Windows 10, version 1809 or later.
## See also
[Bitlocker overview](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview)

BIN
windows/deployment/windows-autopilot/images/bitlocker-encryption.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

4
windows/privacy/Microsoft-DiagnosticDataViewer.md
View File

@ -148,6 +148,9 @@ By default, the tool will show you up to 1GB or 30 days of data (whichever comes
>[!IMPORTANT]
>Modifying the maximum amount of diagnostic data viewable by the tool may come with performance impacts to your machine.
>[!IMPORTANT]
>If you modify the maximum data history size from a larger value to a lower value, you must turn off data viewing and turn it back on in order to reclaim disk space.
You can change the maximum data history size (in megabytes) that you can view. For example, to set the maximum data history size to 2048MB (2GB), you can run the following command.
```powershell
@ -174,6 +177,7 @@ To reset the maximum data history size back to its original 1GB default value, r
PS C:\> Set-DiagnosticStoreCapacity -Size 1024 -Time 720
```
When resetting the size of your data history to a lower value, be sure to turn off data viewing and turn it back on in order to reclaim disk space.
## Related Links
- [Module in PowerShell Gallery](https://www.powershellgallery.com/packages/Microsoft.DiagnosticDataViewer)

318
windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
View File

@ -1,159 +1,159 @@
---
title: Windows 10, version 1809, connection endpoints for non-Enterprise editions
description: Explains what Windows 10 endpoints are used in non-Enterprise editions.
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
author: danihalfin
ms.author: daniha
ms.date: 6/26/2018
---
# Windows 10, version 1809, connection endpoints for non-Enterprise editions
**Applies to**
- Windows 10 Home, version 1809
- Windows 10 Professional, version 1809
- Windows 10 Education, version 1809
In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-1809-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1809.
We used the following methodology to derive these network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here.
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
## Windows 10 Family
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
|*.aria.microsoft.com* | HTTPS | Office Telemetry
|*.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update.
|*.download.windowsupdate.com* | HTTP | Used to download operating system patches and updates.
|*.g.akamai.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use.
|*.msn.com* |TLSv1.2/HTTPS | Windows Spotlight related traffic
|*.Skype.com | HTTP/HTTPS | Skype related traffic
|*.smartscreen.microsoft.com* | HTTPS | Windows Defender Smartscreen related traffic
|*.telecommand.telemetry.microsoft.com* | HTTPS | Used by Windows Error Reporting.
|*cdn.onenote.net* | HTTP | OneNote related traffic
|*displaycatalog.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store.
|*emdl.ws.microsoft.com* | HTTP | Windows Update related traffic
|*geo-prod.do.dsp.mp.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update.
|*hwcdn.net* | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates.
|*img-prod-cms-rt-microsoft-com.akamaized.net* | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps).
|*maps.windows.com* | HTTPS | Related to Maps application.
|*msedge.net* | HTTPS | Used by OfficeHub to get the metadata of Office apps.
|*nexusrules.officeapps.live.com* | HTTPS | Office Telemetry
|*photos.microsoft.com* | HTTPS | Photos App related traffic
|*prod.do.dsp.mp.microsoft.com* |TLSv1.2/HTTPS | Used for Windows Update downloads of apps and OS updates.
|*wac.phicdn.net* | HTTP | Windows Update related traffic
|*windowsupdate.com* | HTTP | Windows Update related traffic
|*wns.windows.com* | HTTPS, TLSv1.2 | Used for the Windows Push Notification Services (WNS).
|*wpc.v0cdn.net* | | Windows Telemetry related traffic
|auth.gfx.ms/16.000.27934.1/OldConvergedLogin_PCore.js | | MSA related
|evoke-windowsservices-tas.msedge* | HTTPS | The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
|fe2.update.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store.
|fe3.*.mp.microsoft.com.* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store.
|fs.microsoft.com | | Font Streaming (in ENT traffic)
|g.live.com* | HTTPS | Used by OneDrive
|iriscoremetadataprod.blob.core.windows.net | HTTPS | Windows Telemetry
|mscrl.micorosoft.com | | Certificate Revocation List related traffic.
|ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities.
|officeclient.microsoft.com | HTTPS | Office related traffic.
|oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates.
|purchase.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store.
|query.prod.cms.rt.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata.
|ris.api.iris.microsoft.com* |TLSv1.2/HTTPS | Used to retrieve Windows Spotlight metadata.
|ris-prod-atm.trafficmanager.net | HTTPS | Azure traffic manager
|settings.data.microsoft.com* | HTTPS | Used for Windows apps to dynamically update their configuration.
|settings-win.data.microsoft.com* | HTTPS | Used for Windows apps to dynamically update their configuration.
|sls.update.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update.
|store*.dsx.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store.
|storecatalogrevocation.storequality.microsoft.com* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store.
|store-images.s-microsoft.com* | HTTP | Used to get images that are used for Microsoft Store suggestions.
|tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile.
|tsfe.trafficshaping.dsp.mp.microsoft.com* |TLSv1.2 | Used for content regulation.
|v10.events.data.microsoft.com | HTTPS | Diagnostic Data
|wdcp.microsoft.* |TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled.
|wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com | HTTPS | Windows Defender related traffic.
|www.bing.com* | HTTP | Used for updates for Cortana, apps, and Live Tiles.
## Windows 10 Pro
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. |
| *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. |
| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. |
| ctldl.windowsupdate.com/msdownload/update/* | HTTP | Used to download certificates that are publicly known to be fraudulent. |
| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. |
| location-inference-westus.cloudapp.net | HTTPS | Used for location data. |
| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |
| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. |
| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
| vip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic |
## Windows 10 Education
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.b.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
| *.tlu.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. |
| *.windowsupdate.com* | HTTP | Enables connections to Windows Update. |
| *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. |
| cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. |
| client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portals shared infrastructure, including Office Online. |
| config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  |
| ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. |
| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| displaycatalog.mp.microsoft.com/* | HTTPS | Used to communicate with Microsoft Store. |
| download.windowsupdate.com/* | HTTPS | Enables connections to Windows Update. |
| emdl.ws.microsoft.com/* | HTTP | Used to download apps from the Microsoft Store. |
| fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. |
| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. |
| licensing.mp.microsoft.com/* | HTTPS | Used for online activation and some app licensing. |
| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application |
| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
| ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. |
| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |
| oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. |
| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. |
| sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. |
| storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. |
| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. |
| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. |
| bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
---
title: Windows 10, version 1809, connection endpoints for non-Enterprise editions
description: Explains what Windows 10 endpoints are used in non-Enterprise editions.
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
author: danihalfin
ms.author: daniha
ms.date: 6/26/2018
---
# Windows 10, version 1809, connection endpoints for non-Enterprise editions
**Applies to**
- Windows 10 Home, version 1809
- Windows 10 Professional, version 1809
- Windows 10 Education, version 1809
In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-1809-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1809.
We used the following methodology to derive these network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here.
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
## Windows 10 Family
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
|*.aria.microsoft.com* | HTTPS | Office Telemetry
|*.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update.
|*.download.windowsupdate.com* | HTTP | Used to download operating system patches and updates.
|*.g.akamai.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use.
|*.msn.com* |TLSv1.2/HTTPS | Windows Spotlight related traffic
|*.Skype.com | HTTP/HTTPS | Skype related traffic
|*.smartscreen.microsoft.com* | HTTPS | Windows Defender Smartscreen related traffic
|*.telecommand.telemetry.microsoft.com* | HTTPS | Used by Windows Error Reporting.
|*cdn.onenote.net* | HTTP | OneNote related traffic
|*displaycatalog.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store.
|*emdl.ws.microsoft.com* | HTTP | Windows Update related traffic
|*geo-prod.do.dsp.mp.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update.
|*hwcdn.net* | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates.
|*img-prod-cms-rt-microsoft-com.akamaized.net* | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps).
|*maps.windows.com* | HTTPS | Related to Maps application.
|*msedge.net* | HTTPS | Used by OfficeHub to get the metadata of Office apps.
|*nexusrules.officeapps.live.com* | HTTPS | Office Telemetry
|*photos.microsoft.com* | HTTPS | Photos App related traffic
|*prod.do.dsp.mp.microsoft.com* |TLSv1.2/HTTPS | Used for Windows Update downloads of apps and OS updates.
|*wac.phicdn.net* | HTTP | Windows Update related traffic
|*windowsupdate.com* | HTTP | Windows Update related traffic
|*wns.windows.com* | HTTPS, TLSv1.2 | Used for the Windows Push Notification Services (WNS).
|*wpc.v0cdn.net* | | Windows Telemetry related traffic
|auth.gfx.ms/16.000.27934.1/OldConvergedLogin_PCore.js | | MSA related
|evoke-windowsservices-tas.msedge* | HTTPS | The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
|fe2.update.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store.
|fe3.*.mp.microsoft.com.* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store.
|fs.microsoft.com | | Font Streaming (in ENT traffic)
|g.live.com* | HTTPS | Used by OneDrive
|iriscoremetadataprod.blob.core.windows.net | HTTPS | Windows Telemetry
|mscrl.micorosoft.com | | Certificate Revocation List related traffic.
|ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities.
|officeclient.microsoft.com | HTTPS | Office related traffic.
|oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates.
|purchase.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store.
|query.prod.cms.rt.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata.
|ris.api.iris.microsoft.com* |TLSv1.2/HTTPS | Used to retrieve Windows Spotlight metadata.
|ris-prod-atm.trafficmanager.net | HTTPS | Azure traffic manager
|settings.data.microsoft.com* | HTTPS | Used for Windows apps to dynamically update their configuration.
|settings-win.data.microsoft.com* | HTTPS | Used for Windows apps to dynamically update their configuration.
|sls.update.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update.
|store*.dsx.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store.
|storecatalogrevocation.storequality.microsoft.com* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store.
|store-images.s-microsoft.com* | HTTP | Used to get images that are used for Microsoft Store suggestions.
|tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile.
|tsfe.trafficshaping.dsp.mp.microsoft.com* |TLSv1.2 | Used for content regulation.
|v10.events.data.microsoft.com | HTTPS | Diagnostic Data
|wdcp.microsoft.* |TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled.
|wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com | HTTPS | Windows Defender related traffic.
|www.bing.com* | HTTP | Used for updates for Cortana, apps, and Live Tiles.
## Windows 10 Pro
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. |
| *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. |
| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. |
| ctldl.windowsupdate.com/msdownload/update/* | HTTP | Used to download certificates that are publicly known to be fraudulent. |
| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. |
| location-inference-westus.cloudapp.net | HTTPS | Used for location data. |
| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |
| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. |
| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
| vip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic |
## Windows 10 Education
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.b.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
| *.tlu.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. |
| *.windowsupdate.com* | HTTP | Enables connections to Windows Update. |
| *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. |
| cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. |
| client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portals shared infrastructure, including Office Online. |
| config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  |
| ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. |
| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| displaycatalog.mp.microsoft.com/* | HTTPS | Used to communicate with Microsoft Store. |
| download.windowsupdate.com/* | HTTPS | Enables connections to Windows Update. |
| emdl.ws.microsoft.com/* | HTTP | Used to download apps from the Microsoft Store. |
| fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. |
| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. |
| licensing.mp.microsoft.com/* | HTTPS | Used for online activation and some app licensing. |
| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application |
| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
| ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. |
| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |
| oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. |
| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. |
| sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. |
| storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. |
| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. |
| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. |
| bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |

2
windows/security/identity-protection/credential-guard/credential-guard-requirements.md
View File

@ -51,7 +51,7 @@ For information about Windows Defender Remote Credential Guard hardware and soft
## Application requirements
When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality.
When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatibility with the reduced functionality.
>[!WARNING]
> Enabling Windows Defender Credential Guard on domain controllers is not supported. <br>

6
windows/security/identity-protection/hello-for-business/hello-features.md
View File

@ -202,9 +202,9 @@ Active Directory Domain Services uses AdminSDHolder to secure privileged users a
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the **Key Admins** (or **KeyCredential Admins**) group on the AdminSDHolder object.</br>
```dsacls "CN=AdminSDHolder,CN=System,**DC=domain,DC=com**" /g "**[domainName\keyAdminGroup]**":RPWP,msDS-KeyCredentialLink```</br>
```dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink```</br>
where **DC=domain,DC=com** is the LDAP path of your Active Directory domain and **domainName\keyAdminGroup]** is the NetBIOS name of your domain and the name of the group you use to give access to keys based on your deployment. For example:</br>
```dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net /g "mstepdemo\Key Admins":RPWP,msDS-KeyCredentialLink```
```dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink```
2. To trigger security descriptor propagation, open **ldp.exe**.
3. Click **Connection** and select **Connect...** Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and click **OK**.
4. Click **Connection** and select **Bind...** Click **OK** to bind as the currently signed-in user.
@ -266,4 +266,4 @@ Users appreciate convenience of biometrics and administrators value the security
- [Windows Hello and password changes](hello-and-password-changes.md)
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)

2
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
View File

@ -29,7 +29,7 @@ When using a key, the on-premises environment needs an adequate distribution of
When using a certificate, the on-premises environment can use Windows Server 2008 R2 and later domain controllers, which removes the Windows Server 2016 domain controller requirement. However, single-sign on using a key requires additional infrastructure to issue a certificate when the user enrolls for Windows Hello for Business. Azure AD joined devices enroll certificates using Microsoft Intune or a compatible Mobile Device Management (MDM). Microsoft Intune and Windows Hello for Business use the Network Device Enrollment Services (NDES) role and support Microsoft Intune connector.
To deploy single sign-on for Azure AD joined devices using keys, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md).
To deploy single sign-on for Azure AD joined devices using, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md) and then [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md).
To deploy single sign-on for Azure AD joined devices using certificates, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md) and then [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md).
## Related topics

3
windows/security/threat-protection/auditing/event-5031.md
View File

@ -7,7 +7,6 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
# 5031(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network.
@ -15,6 +14,8 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
<img src="images/event-5031.png" alt="Event 5031 illustration" width="449" height="317" hspace="10" align="left" />

6
windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
View File

@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: justinha
ms.author: justinha
ms.date: 10/16/2018
ms.date: 01/16/2019
---
# Application Guard testing scenarios
@ -25,7 +25,7 @@ You can see how an employee would use standalone mode with Application Guard.
**To test Application Guard in Standalone mode**
1. Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide.
1. Install Application Guard, using the [installation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard) steps in this guide.
2. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu.
@ -46,7 +46,7 @@ How to install, set up, turn on, and configure Application Guard for Enterprise-
### Install, set up, and turn on Application Guard
Before you can use Application Guard in enterprise mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings.
1. Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide.
1. Install Application Guard, using the [installation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard#install-application-guard) steps in this guide.
2. Restart the device and then start Microsoft Edge.

1
windows/security/threat-protection/windows-defender-atp/TOC.md
View File

@ -98,6 +98,7 @@
## [Get started](get-started.md)
### [What's new in Windows Defender ATP](whats-new-in-windows-defender-atp.md)
### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
### [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md)
### [Preview features](preview-windows-defender-advanced-threat-protection.md)

3
windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,6 @@ ms.sitesec: library
ms.pagetype: security
author: mjcaparas
ms.localizationpriority: medium
ms.date: 10/03/2018
---
# Onboard non-Windows machines
@ -37,7 +36,7 @@ You'll need to take the following steps to onboard non-Windows machines:
1. In the navigation pane, select **Settings** > **Onboarding**. Make sure the third-party solution is listed.
2. Select Mac and Linux as the operating system.
2. Select **Linux, macOS, iOS and Android** as the operating system.
3. Turn on the third-party solution integration.

2
windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 04/24/2018
ms.date: 12/11/2018
---
# Onboard Windows 10 machines using System Center Configuration Manager

10
windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md
View File

@ -1,6 +1,6 @@
---
title: Create and manage roles for role-based access control
description: Create roles and define the permissions assigned to the role as part of the role-based access control implimentation
description: Create roles and define the permissions assigned to the role as part of the role-based access control implementation
keywords: user roles, roles, access rbac
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -11,7 +11,6 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 09/03/2018
---
# Create and manage roles for role-based access control
@ -25,7 +24,7 @@ ms.date: 09/03/2018
## Create roles and assign the role to an Azure Active Directory group
The following steps guide you on how to create roles in Windows Defender Security Center. It assumes that you have already created Azure Active Directory user groups.
1. In the navigation pane, select **Settings > Role based access control > Roles**.
1. In the navigation pane, select **Settings > Roles**.
2. Click **Add role**.
@ -37,9 +36,8 @@ The following steps guide you on how to create roles in Windows Defender Securit
- **Permissions**
- **View data** - Users can view information in the portal.
- **Investigate alerts** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
- **Approve or take action** - Users can take response actions and approve or dismiss pending remediation actions.
- **Manage system settings** - Users can configure settings, SIEM and threat intel API settings, advanced settings, preview features, and automated file uploads.
- **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
- **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions.
- **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
4. Click **Next** to assign the role to an Azure AD group.

75
windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md Normal file
View File

@ -0,0 +1,75 @@
---
title: What's new in Windows Defender ATP
description: Lists the new features and functionality in Windows Defender ATP
keywords: what's new in windows defender atp
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
ms.date: 01/07/2019
---
# What's new in Windows Defender ATP
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Here are the new features in the latest release of Windows Defender ATP.
## Windows Defender ATP 1809
- [Controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)
Controlled folder access is now supported on Windows Server 2019.
- [Attack surface reduction rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
All Attack surface reduction rules are now supported on Windows Server 2019.
For Windows 10, version 1809 there are two new attack surface reduction rules:
- Block Adobe Reader from creating child processes
- Block Office communication application from creating child processes.
- [Windows Defender Antivirus](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)
- Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. [Office VBA + AMSI: Parting the veil on malicious macros](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/).
- Windows Defender Antivirus can now [run within a sandbox](https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/) (preview), increasing its security.
- [Configure CPU priority settings](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus) for Windows Defender Antivirus scans.
- [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics)<br>
Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
- [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)<br>
With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.
- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)<br>
Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)<br>
Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration)<br>
Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines.
- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) <br>
Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)<br>
Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor.
- [Removable device control](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/)<br>
Windows Defender ATP provides multiple monitoring and control features to help prevent threats from removable devices, including new settings to allow or block specific hardware IDs.
## Windows Defender ATP 1803
- [Attack surface reduction rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
New attack surface reduction rules:
- Use advanced protection against ransomware
- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
- Block process creations originating from PSExec and WMI commands
- Block untrusted and unsigned processes that run from USB
- Block executable content from email client and webmail
- [Controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)
You can now block untrusted processes from writing to disk sectors using Controlled Folder Access.
- [Windows Defender Antivirus](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)
Windows Defender Antivirus now shares detection status between M365 services and interoperates with Windows Defender ATP. For more information, see [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. For more information, see [Enable block at first sight](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus).
- [Advanced Hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) <BR>
Query data using Advanced hunting in Windows Defender ATP
- [Automated investigation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)<br> Use Automated investigations to investigate and remediate threats
- [Conditional access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) <br>
Enable conditional access to better protect users, devices, and data

5
windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
View File

@ -16,7 +16,10 @@ ms.date: 1/26/2018
- Windows 10
- Windows 10 Mobile
Windows Defender SmartScreen works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Windows Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely.
Windows Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Windows Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely.
See [Windows 10 (and later) settings to protect devices using Intune](https://docs.microsoft.com/en-us/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune.
## Group Policy settings
SmartScreen uses registry-based Administrative Template policy settings. For more info about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy.

15
windows/whats-new/ltsc/whats-new-windows-10-2015.md
View File

@ -286,20 +286,7 @@ For more information about updating Windows 10, see [Windows 10 servicing optio
## Microsoft Edge
Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
- **Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on webpages.
- **Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout that's optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list, for later viewing.
- **Cortana.** Cortana is automatically enabled on Microsoft Edge. Microsoft Edge lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage.
- **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls.
### Enterprise guidance
Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956).
We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10.
[Learn more about using Microsoft Edge in the enterprise](https://technet.microsoft.com/itpro/microsoft-edge/enterprise-guidance-using-microsoft-edge-and-ie11)
Microsoft Edge is not available in the LTSC release of Windows 10.
## See Also

93
windows/whats-new/ltsc/whats-new-windows-10-2019.md
View File

@ -30,6 +30,11 @@ The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC use
>[!IMPORTANT]
>The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited.
## Microsoft Intune
>[!NOTE]
>Some features that are described on this page require Microsoft Intune. Currently, information about Microsoft Intune support for LTSC 2019 is pending.
## Security
This version of Window 10 includes security improvements for threat protection, information protection, and identity protection.
@ -175,12 +180,6 @@ This release enables support for WIP with Files on Demand, allows file encryptio
The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3).
#### Delivering BitLocker policy to AutoPilot devices during OOBE
You can choose which encryption algorithm to apply automatic BitLocker encryption to capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before automatic BitLocker encryption begins.
For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE.
#### Silent enforcement on fixed drives
Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that dont pass the HSTI.
@ -396,54 +395,11 @@ In the Feedback and Settings page under Privacy Settings you can now delete the
## Configuration
### Kiosk Configuration
### Kiosk configuration
We introduced a simplified assigned access configuration experience in **Settings** that allows device administrators to easily set up a PC as a kiosk or digital sign. A wizard experience walks you through kiosk setup including creating a kiosk account that will automatically sign in when a device starts.
Microsoft Edge has many improvements specifically targeted to Kiosks, however Edge is not available in the LTSC release of Windows 10. Internet Explorer is included in Windows 10 LTSC releases as its feature set is not changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release.
To use this feature, go to **Settings**, search for **assigned access**, and open the **Set up a kiosk** page.
![set up a kiosk](../images/kiosk-mode.png "set up a kiosk")
Microsoft Edge kiosk mode running in single-app assigned access has two kiosk types.
1. **Digital / Interactive signage** that displays a specific website full-screen and runs InPrivate mode.
2. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. Users cannot minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity.
![single app assigned access](../images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access")
Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk types.
>[!NOTE]
>The following Microsoft Edge kiosk mode types cannot be setup using the new simplified assigned access configuration wizard in Windows 10 Settings.
1. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate mode windows.
![multi-app assigned access](../images/Multi-app_kiosk_inFrame.png "multi-app assigned access")
2. **Normal mode** runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store is not set up, users cannot get books.
![normal mode](../images/Normal_inFrame.png "normal mode")
Learn more about [Microsoft Edge kiosk mode](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy).
The AssignedAccess CSP has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For more information, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps).
### Windows 10 kiosk and Kiosk Browser
With this release you can easily deploy and manage kiosk devices with Microsoft Intune in single and multiple app scenarios. This includes the new Kiosk Browser available from the Microsoft Store. Kiosk Browser is great for delivering a reliable and custom-tailored browsing experience for scenarios such as retail and signage. A summary of new features is below.
- Using Intune, you can deploy the Kiosk Browser from the Microsoft Store, configure start URL, allowed URLs, and enable/disable navigation buttons.
- Using Intune, you can deploy and configure shared devices and kiosks using assigned access to create a curated experience with the correct apps and configuration policies
- Support for multiple screens for digital signage use cases.
- The ability to ensure all MDM configurations are enforced on the device prior to entering assigned access using the Enrollment Status page.
- The ability to configure and run Shell Launcher in addition to existing UWP Store apps.
- A simplified process for creating and configuring an auto-logon kiosk account so that a public kiosk automatically enters a desired state after a reboot, a critical security requirement for public-facing use cases.
- For multi-user Firstline Worker kiosk devices, instead of specifying every user, its now possible to assign different assigned access configurations to Azure AD groups or Active Directory groups.
- To help with troubleshooting, you can now view error reports generated if an assigned access-configured app has issues.
For more information, see:
- [Making IT simpler with a modern workplace](https://www.microsoft.com/en-us/microsoft-365/blog/2018/04/27/making-it-simpler-with-a-modern-workplace/)
- [Simplifying kiosk management for IT with Windows 10](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Simplifying-kiosk-management-for-IT-with-Windows-10/ba-p/187691)
If you wish to take advantage of [Kiosk capabilities in Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](https://docs.microsoft.com/windows/configuration/kiosk-methods) with a semi-annual release channel.
### Co-management
@ -455,20 +411,6 @@ For more information, see [What's New in MDM enrollment and management](https://
The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update. With this release, administrators can use Intune or [DISM](#dism) to customize the length of the OS uninstall period.
### Windows Configuration Designer
Previously known as *Windows Imaging and Configuration Designer (ICD)*, the tool for creating provisioning packages is renamed **Windows Configuration Designer**. The new Windows Configuration Designer is available in [Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) as an app. To run Windows Configuration Designer on earlier versions of Windows, you can still install Windows Configuration Designer from the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
Windows Configuration Designer in Windows 10 Enterprise 2019 LTSC includes several new wizards to make it easier to create provisioning packages.
![wizards for desktop, mobile, kiosk, Surface Hub](../images/wcd-options.png)
Both the desktop and kiosk wizards include an option to remove pre-installed software, based on the new [CleanPC configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp).
![remove pre-installed software option](../images/wcd-cleanpc.png)
[Learn more about Windows Configuration Designer.](/windows/configuration/provisioning-packages/provisioning-packages)
### Azure Active Directory join in bulk
Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards.
@ -495,25 +437,6 @@ Previously, the customized taskbar could only be deployed using Group Policy or
- Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep)
- Additional new settings: [**Start/HideFrequentlyUsedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist).
### Cortana at work
Cortana is Microsofts personal digital assistant, who helps busy people get things done, even while at work. Cortana has powerful configuration options, specifically optimized for your business. By signing in with an Azure Active Directory (Azure AD) account, your employees can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.
Using Azure AD also means that you can remove an employees profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data.
For more info about Cortana at work, see [Cortana integration in your business or enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview)
## Microsoft Edge
iOS and Android versions of Edge are now available. For more information, see [Microsoft Edge Tips](https://microsoftedgetips.microsoft.com/en-us?source=firstrunwip).
Support in [Windows Defender Application Guard](#windows-defender-application-guard) is also improved.
#### Microsoft Edge Group Policies
We introduced new group policies and Modern Device Management settings to manage Microsoft Edge. The new policies include enabling and disabling full-screen mode, printing, favorites bar, and saving history; preventing certificate error overrides; configuring the Home button and startup options; setting the New Tab page and Home button URL, and managing extensions. Learn more about the [new Microsoft Edge policies](https://aka.ms/new-microsoft-edge-group-policies).
## Windows Update
### Windows Update for Business

10
windows/whats-new/whats-new-windows-10-version-1809.md
View File

@ -65,10 +65,18 @@ This feature will soon be enabled on Olympia Corp as an optional feature.
#### Delivering BitLocker policy to AutoPilot devices during OOBE
You can choose which encryption algorithm to apply automatic BitLocker encryption to capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before automatic BitLocker encryption begins.
You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins.
For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE.
To achieve this:
1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm.
2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group.
- **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users.
3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices.
- **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts.
### Windows Defender Application Guard Improvements
Windows Defender Application Guard (WDAG) introduced a new user interface inside **Windows Security** in this release. Standalone users can now install and configure their Windows Defender Application Guard settings in Windows Security without needing to change registry key settings.