deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 20:33:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into millerevan-hololens-insider-policies

Browse Source
This commit is contained in:
Evan Miller
2022-11-07 08:35:47 -08:00
committed by GitHub
parent a91720880f 3c9b7904d1
commit 3006f084c8
2686 changed files with 31449 additions and 35473 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md → windows/client-management/add-an-azure-ad-tenant-and-azure-ad-subscription.md
View File

@ -5,8 +5,8 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 06/26/2017
---

7
windows/client-management/administrative-tools-in-windows-10.md
View File

@ -1,7 +1,7 @@
---
title: Windows Tools/Administrative Tools
description: The folders for Windows Tools and Administrative Tools are folders in the Control Panel that contain tools for system administrators and advanced users.
ms.prod: w10
ms.prod: windows-client
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
@ -9,6 +9,7 @@ ms.localizationpriority: medium
ms.date: 03/28/2022
ms.topic: article
ms.collection: highpri
ms.technology: itpro-manage
---
# Windows Tools/Administrative Tools
@ -24,11 +25,11 @@ ms.collection: highpri
The following graphic shows the **Windows Tools** folder in Windows 11:
:::image type="content" source="media/win11-control-panel-windows-tools.png" alt-text="Screenshot of the Control Panel in Windows 11, highlighting the Administrative Tools folder." lightbox="media/win11-control-panel-windows-tools.png":::
:::image type="content" source="images/win11-control-panel-windows-tools.png" alt-text="Screenshot of the Control Panel in Windows 11, highlighting the Administrative Tools folder." lightbox="images/win11-control-panel-windows-tools.png":::
The tools in the folder might vary depending on which edition of Windows you use.
:::image type="content" source="media/win11-windows-tools.png" alt-text="Screenshot of the contents of the Windows Tools folder in Windows 11." lightbox="media/win11-windows-tools.png":::
:::image type="content" source="images/win11-windows-tools.png" alt-text="Screenshot of the contents of the Windows Tools folder in Windows 11." lightbox="images/win11-windows-tools.png":::
## Administrative Tools folder (Windows 10)

117
windows/client-management/advanced-troubleshooting-802-authentication.md
View File

@ -1,117 +0,0 @@
---
title: Advanced Troubleshooting 802.1X Authentication
ms.reviewer:
description: Troubleshoot authentication flow by learning how 802.1X Authentication works for wired and wireless clients.
ms.prod: w10
author: aczechowski
ms.author: aaroncz
manager: dougeby
ms.localizationpriority: medium
ms.topic: troubleshooting
ms.collection: highpri
---
# Advanced troubleshooting 802.1X authentication
## Overview
This article includes general troubleshooting for 802.1X wireless and wired clients. While troubleshooting 802.1X and wireless, it's important to know how the flow of authentication works, and then figure out where it's breaking. It involves many third-party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. We don't make access points or switches, so it's not an end-to-end Microsoft solution.
## Scenarios
This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication are attempted and then fail to establish. The workflow covers Windows 7 through Windows 10 (and Windows 11) for clients, and Windows Server 2008 R2 through Windows Server 2012 R2 for NPS.
## Known issues
None
## Data collection
See [Advanced troubleshooting 802.1X authentication data collection](data-collection-for-802-authentication.md).
## Troubleshooting
Viewing [NPS authentication status events](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735320(v%3dws.10)) in the Windows Security [event log](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc722404(v%3dws.11)) is one of the most useful troubleshooting methods to obtain information about failed authentications.
NPS event log entries contain information about the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. If you don't see both success and failure events, see the [NPS audit policy](#audit-policy) section later in this article.
Check the Windows Security event log on the NPS Server for NPS events that correspond to the rejected ([event ID 6273](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or the accepted ([event ID 6272](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts.
In the event message, scroll to the bottom, and then check the [Reason Code](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text that's associated with it.
![example of an audit failure.](images/auditfailure.png)
*Example: event ID 6273 (Audit Failure)*<br><br>
![example of an audit success.](images/auditsuccess.png)
*Example: event ID 6272 (Audit Success)*<br>
The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, if connectivity problems occur, the reason for the failure. For wired network access, the Wired AutoConfig operational log is an equivalent one.
On the client side, go to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, go to **..\Wired-AutoConfig/Operational**. See the following example:
![event viewer screenshot showing wired-autoconfig and WLAN autoconfig.](images/eventviewer.png)
Most 802.1X authentication issues are because of problems with the certificate that's used for client or server authentication. Examples include invalid certificate, expiration, chain verification failure, and revocation check failure.
First, validate the type of EAP method that's used:
![eap authentication type comparison.](images/comparisontable.png)
If a certificate is used for its authentication method, check whether the certificate is valid. For the server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Select and hold (or right-click) the policy, and then select **Properties**. In the pop-up window, go to the **Constraints** tab, and then select the **Authentication Methods** section.
![Constraints tab of the secure wireless connections properties.](images/eappropertymenu.png)
The CAPI2 event log is useful for troubleshooting certificate-related issues.
By default, this log isn't enabled. To enable this log, expand **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2**, select and hold (or right-click) **Operational**, and then select **Enable Log**.
![screenshot of event viewer.](images/capi.png)
For information about how to analyze CAPI2 event logs, see
[Troubleshooting PKI Problems on Windows Vista](/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29).
When troubleshooting complex 802.1X authentication issues, it's important to understand the 802.1X authentication process. Here's an example of wireless connection process with 802.1X authentication:
![authenticator flow chart.](images/authenticator_flow_chart.png)
If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter for a client-side capture, and **EAP** for an NPS-side capture. See the following examples:
![client-side packet capture data.](images/clientsidepacket_cap_data.png)
*Client-side packet capture data*<br><br>
![NPS-side packet capture data.](images/NPS_sidepacket_capture_data.png)
*NPS-side packet capture data*<br>
> [!NOTE]
> If you have a wireless trace, you can also [view ETL files with network monitor](/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. If you need to load the required [parser](/archive/blogs/netmon/parser-profiles-in-network-monitor-3-4), see the instructions under the **Help** menu in Network Monitor. Here's an example:
![ETL parse.](images/etl.png)
## Audit policy
By default, NPS audit policy (event logging) for connection success and failure is enabled. If you find that one or both types of logging are disabled, use the following steps to troubleshoot.
View the current audit policy settings by running the following command on the NPS server:
```console
auditpol /get /subcategory:"Network Policy Server"
```
If both success and failure events are enabled, the output should be:
<pre>
System audit policy
Category/Subcategory Setting
Logon/Logoff
Network Policy Server Success and Failure
</pre>
If it says, "No auditing," you can run this command to enable it:
```console
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
```
Even if audit policy appears to be fully enabled, it sometimes helps to disable and then re-enable this setting. You can also enable Network Policy Server logon/logoff auditing by using Group Policy. To get to the success/failure setting, select **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Advanced Audit Policy Configuration** > **Audit Policies** > **Logon/Logoff** > **Audit Network Policy Server**.
## More references
[Troubleshooting Windows Vista 802.11 Wireless Connections](/previous-versions/windows/it-pro/windows-vista/cc766215(v=ws.10))<br>
[Troubleshooting Windows Vista Secure 802.3 Wired Connections](/previous-versions/windows/it-pro/windows-vista/cc749352(v=ws.10))

356
windows/client-management/advanced-troubleshooting-boot-problems.md
View File

@ -1,356 +0,0 @@
---
title: Advanced troubleshooting for Windows boot problems
description: Learn to troubleshoot when Windows can't boot. This article includes advanced troubleshooting techniques intended for use by support agents and IT professionals.
ms.prod: w10
ms.technology: windows
ms.localizationpriority: medium
ms.date: 06/02/2022
author: aczechowski
ms.author: aaroncz
ms.reviewer:
manager: dougeby
ms.topic: troubleshooting
ms.collection: highpri
---
# Advanced troubleshooting for Windows boot problems
<p class="alert is-flex is-primary"><span class="has-padding-left-medium has-padding-top-extra-small"><a class="button is-primary" href="https://vsa.services.microsoft.com/v1.0/?partnerId=7d74cf73-5217-4008-833f-87a1a278f2cb&flowId=DMC&initialQuery=boot" target='_blank'><b>Try our Virtual Agent</b></a></span><span class="has-padding-small"> - It can help you quickly identify and fix common Windows boot issues.</span>
> [!NOTE]
> This article is intended for use by support agents and IT professionals. If you're looking for more general information about recovery options, see [Recovery options in Windows 10](https://support.microsoft.com/windows/recovery-options-in-windows-31ce2444-7de3-818c-d626-e3b5a3024da5).
## Summary
There are several reasons why a Windows-based computer may have problems during startup. To troubleshoot boot problems, first determine in which of the following phases the computer gets stuck:
| Phase | Boot Process | BIOS | UEFI |
|-----------|----------------------|------------------------------------|-----------------------------------|
| 1 | PreBoot | MBR/PBR (Bootstrap Code) | UEFI Firmware |
| 2 | Windows Boot Manager | %SystemDrive%\bootmgr | \EFI\Microsoft\Boot\bootmgfw.efi |
| 3 | Windows OS Loader | %SystemRoot%\system32\winload.exe | %SystemRoot%\system32\winload.efi |
| 4 | Windows NT OS Kernel | %SystemRoot%\system32\ntoskrnl.exe | |
1. **PreBoot**: The PC's firmware initiates a power-on self test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot Manager.
2. **Windows Boot Manager**: Windows Boot Manager finds and starts the Windows loader (Winload.exe) on the Windows boot partition.
3. **Windows operating system loader**: Essential drivers required to start the Windows kernel are loaded and the kernel starts to run.
4. **Windows NT OS Kernel**: The kernel loads into memory the system registry hive and other drivers that are marked as BOOT_START.
The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that aren't marked BOOT_START.
<a name="boot-sequence"></a>
Here's a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before you start troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement. Select the thumbnail to view it larger.
:::image type="content" source="images/boot-sequence-thumb.png" alt-text="Diagram of the boot sequence flowchart." lightbox="images/boot-sequence.png":::
Each phase has a different approach to troubleshooting. This article provides troubleshooting techniques for problems that occur during the first three phases.
> [!NOTE]
> If the computer repeatedly boots to the recovery options, run the following command at a command prompt to break the cycle:
>
> `Bcdedit /set {default} recoveryenabled no`
>
> If the F8 options don't work, run the following command:
>
> `Bcdedit /set {default} bootmenupolicy legacy`
## BIOS phase
To determine whether the system has passed the BIOS phase, follow these steps:
1. If there are any external peripherals connected to the computer, disconnect them.
2. Check whether the hard disk drive light on the physical computer is working. If it's not working, this dysfunction indicates that the startup process is stuck at the BIOS phase.
3. Press the NumLock key to see whether the indicator light toggles on and off. If it doesn't toggle, this dysfunction indicates that the startup process is stuck at BIOS.
If the system is stuck at the BIOS phase, there may be a hardware problem.
## Boot loader phase
If the screen is black except for a blinking cursor, or if you receive one of the following error codes, this status indicates that the boot process is stuck in the Boot Loader phase:
- Boot Configuration Data (BCD) missing or corrupted
- Boot file or MBR corrupted
- Operating system Missing
- Boot sector missing or corrupted
- Bootmgr missing or corrupted
- Unable to boot due to system hive missing or corrupted
To troubleshoot this problem, use Windows installation media to start the computer, press **Shift** + **F10** for a command prompt, and then use any of the following methods.
### Method 1: Startup Repair tool
The Startup Repair tool automatically fixes many common problems. The tool also lets you quickly diagnose and repair more complex startup problems. When the computer detects a startup problem, the computer starts the Startup Repair tool. When the tool starts, it performs diagnostics. These diagnostics include analyzing startup log files to determine the cause of the problem. When the Startup Repair tool determines the cause, the tool tries to fix the problem automatically.
To do this task of invoking the Startup Repair tool, follow these steps.
> [!NOTE]
> For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#entry-points-into-winre).
1. Start the system to the installation media for the installed version of Windows. For more information, see [Create installation media for Windows](https://support.microsoft.com/windows/create-installation-media-for-windows-99a58364-8c02-206f-aa6f-40c3b507420d).
2. On the **Install Windows** screen, select **Next** > **Repair your computer**.
3. On the **Choose an option** screen, select **Troubleshoot**.
4. On the **Advanced options** screen, select **Startup Repair**.
5. After Startup Repair, select **Shutdown**, then turn on your PC to see if Windows can boot properly.
The Startup Repair tool generates a log file to help you understand the startup problems and the repairs that were made. You can find the log file in the following location:
`%windir%\System32\LogFiles\Srt\Srttrail.txt`
For more information, see [Troubleshoot blue screen errors](https://support.microsoft.com/sbs/windows/troubleshoot-blue-screen-errors-5c62726c-6489-52da-a372-3f73142c14ad).
### Method 2: Repair Boot Codes
To repair boot codes, run the following command:
```command
BOOTREC /FIXMBR
```
To repair the boot sector, run the following command:
```command
BOOTREC /FIXBOOT
```
> [!NOTE]
> Running `BOOTREC` together with `Fixmbr` overwrites only the master boot code. If the corruption in the MBR affects the partition table, running `Fixmbr` may not fix the problem.
### Method 3: Fix BCD errors
If you receive BCD-related errors, follow these steps:
1. Scan for all the systems that are installed. To do this step, run the following command:
```command
Bootrec /ScanOS
```
2. Restart the computer to check whether the problem is fixed.
3. If the problem isn't fixed, run the following commands:
```command
bcdedit /export c:\bcdbackup
attrib c:\boot\bcd -r -s -h
ren c:\boot\bcd bcd.old
bootrec /rebuildbcd
```
4. Restart the system.
### Method 4: Replace Bootmgr
If methods 1, 2 and 3 don't fix the problem, replace the Bootmgr file from drive C to the System Reserved partition. To do this replacement, follow these steps:
1. At a command prompt, change the directory to the System Reserved partition.
2. Run the `attrib` command to unhide the file:
```command
attrib -r -s -h
```
3. Navigate to the system drive and run the same command:
```command
attrib -r -s -h
```
4. Rename the `bootmgr` file as `bootmgr.old`:
```command
ren c:\bootmgr bootmgr.old
```
5. Navigate to the system drive.
6. Copy the `bootmgr` file, and then paste it to the System Reserved partition.
7. Restart the computer.
### Method 5: Restore system hive
If Windows can't load the system registry hive into memory, you must restore the system hive. To do this step, use the Windows Recovery Environment or use the Emergency Repair Disk (ERD) to copy the files from the `C:\Windows\System32\config\RegBack` directory to `C:\Windows\System32\config`.
If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced.
> [!NOTE]
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more information, see [The system registry is no longer backed up to the RegBack folder starting in Windows 10 version 1803](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder).
## Kernel Phase
If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These error messages include, but aren't limited to, the following examples:
- A Stop error appears after the splash screen (Windows Logo screen).
- Specific error code is displayed. For example, `0x00000C2` , `0x0000007B` , or `inaccessible boot device`.
- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md)
- [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md)
- The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon.
- A black screen appears after the splash screen.
To troubleshoot these problems, try the following recovery boot options one at a time.
### Scenario 1: Try to start the computer in Safe mode or Last Known Good Configuration
On the **Advanced Boot Options** screen, try to start the computer in **Safe Mode** or **Safe Mode with Networking**. If either of these options works, use Event Viewer to help identify and diagnose the cause of the boot problem. To view events that are recorded in the event logs, follow these steps:
1. Use one of the following methods to open Event Viewer:
- Go to the **Start** menu, select **Administrative Tools**, and then select **Event Viewer**.
- Start the Event Viewer snap-in in Microsoft Management Console (MMC).
2. In the console tree, expand Event Viewer, and then select the log that you want to view. For example, choose **System log** or **Application log**.
3. In the details pane, open the event that you want to view.
4. On the **Edit** menu, select **Copy**. Open a new document in the program in which you want to paste the event. For example, Microsoft Word. Then select **Paste**.
5. Use the up arrow or down arrow key to view the description of the previous or next event.
### Clean boot
To troubleshoot problems that affect services, do a clean boot by using System Configuration (`msconfig`).
Select **Selective startup** to test the services one at a time to determine which one is causing the problem. If you can't find the cause, try including system services. However, in most cases, the problematic service is third-party.
Disable any service that you find to be faulty, and try to start the computer again by selecting **Normal startup**.
For detailed instructions, see [How to perform a clean boot in Windows](https://support.microsoft.com/topic/how-to-perform-a-clean-boot-in-windows-da2f9573-6eec-00ad-2f8a-a97a1807f3dd).
If the computer starts in Disable Driver Signature mode, start the computer in Disable Driver Signature Enforcement mode, and then follow the steps that are documented in the following article to determine which drivers or files require driver signature enforcement:
[Troubleshooting boot problem caused by missing driver signature (x64)](/archive/blogs/askcore/troubleshooting-boot-issues-due-to-missing-driver-signature-x64)
> [!NOTE]
> If the computer is a domain controller, try Directory Services Restore mode (DSRM).
>
> This method is an important step if you encounter Stop error "0xC00002E1" or "0xC00002E2"
#### Examples
> [!WARNING]
> Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft can't guarantee that these problems can be solved. Modify the registry at your own risk.
*Error code INACCESSIBLE_BOOT_DEVICE (STOP 0x7B)*
To troubleshoot this Stop error, follow these steps to filter the drivers:
1. Go to Windows Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of the same version of Windows or a later version.
2. Open the registry.
3. Load the system hive, and name it **test**.
4. Under the following registry subkey, check for lower filter and upper filter items for non-Microsoft drivers:
`HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class`
5. For each third-party driver that you locate, select the upper or lower filter, and then delete the value data.
6. Search through the whole registry for similar items. Process as appropriate, and then unload the registry hive.
7. Restart the server in Normal mode.
For more troubleshooting steps, see [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md).
To fix problems that occur after you install Windows updates, check for pending updates by using these steps:
1. Open a Command Prompt window in WinRE.
2. Run the command:
```command
DISM /image:C:\ /get-packages
```
3. If there are any pending updates, uninstall them by running the following commands:
```command
DISM /image:C:\ /remove-package /packagename: name of the package
DISM /Image:C:\ /Cleanup-Image /RevertPendingActions
```
Try to start the computer.
If the computer doesn't start, follow these steps:
1. Open a command prompt window in WinRE, and start a text editor, such as Notepad.
2. Navigate to the system drive, and search for `windows\winsxs\pending.xml`.
3. If the pending.xml file is found, rename the file as `pending.xml.old`.
4. Open the registry, and then load the component hive in HKEY_LOCAL_MACHINE as test.
5. Highlight the loaded test hive, and then search for the `pendingxmlidentifier` value.
6. If the `pendingxmlidentifier` value exists, delete it.
7. Unload the test hive.
8. Load the system hive, name it **test**.
9. Navigate to the following subkey:
`HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TrustedInstaller`
10. Change the **Start** value from `1` to `4`.
11. Unload the hive.
12. Try to start the computer.
If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For more information, see [Generate a kernel or complete crash dump](./generate-kernel-or-complete-crash-dump.md).
For more information about page file problems in Windows 10 or Windows Server 2016, see [Introduction to page files](./introduction-page-file.md).
For more information about Stop errors, see [Advanced troubleshooting for Stop error or blue screen error issue](./troubleshoot-stop-errors.md).
Sometimes the dump file shows an error that's related to a driver. For example, `windows\system32\drivers\stcvsm.sys` is missing or corrupted. In this instance, follow these guidelines:
- Check the functionality that's provided by the driver. If the driver is a third-party boot driver, make sure that you understand what it does.
- If the driver isn't important and has no dependencies, load the system hive, and then disable the driver.
- If the stop error indicates system file corruption, run the system file checker in offline mode.
- To do this action, open WinRE, open a command prompt, and then run the following command:
```command
SFC /Scannow /OffBootDir=C:\ /OffWinDir=C:\Windows
```
For more information, see [Using system file checker (SFC) to fix issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues).
- If there's disk corruption, run the check disk command:
```command
chkdsk /f /r
```
- If the Stop error indicates general registry corruption, or if you believe that new drivers or services were installed, follow these steps:
1. Start WinRE, and open a command prompt window.
2. Start a text editor, such as Notepad.
3. Navigate to `C:\Windows\System32\Config\`.
4. Rename the all five hives by appending `.old` to the name.
5. Copy all the hives from the `Regback` folder, paste them in the `Config` folder, and then try to start the computer in Normal mode.
> [!NOTE]
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more information, see [The system registry is no longer backed up to the RegBack folder starting in Windows 10 version 1803](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder).

324
windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
View File

@ -1,324 +0,0 @@
---
title: Advanced Troubleshooting Wireless Network Connectivity
ms.reviewer:
manager: dougeby
description: Learn how to troubleshoot Wi-Fi connections. Troubleshooting Wi-Fi connections requires understanding the basic flow of the Wi-Fi autoconnect state machine.
ms.prod: w10
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
ms.topic: troubleshooting
---
# Advanced troubleshooting wireless network connectivity
> [!NOTE]
> Home users: This article is intended for use by support agents and IT professionals. If you're looking for more general information about Wi-Fi problems in Windows 10, check out this [Windows 10 Wi-Fi fix article](https://support.microsoft.com/en-in/help/4000432/windows-10-fix-wi-fi-problems).
## Overview
This overview describes the general troubleshooting of establishing Wi-Fi connections from Windows clients.
Troubleshooting Wi-Fi connections requires understanding the basic flow of the Wi-Fi autoconnect state machine. Understanding this flow makes it easier to determine the starting point in a repro scenario in which a different behavior is found.
This workflow involves knowledge and use of [TextAnalysisTool](https://github.com/TextAnalysisTool/Releases), an extensive text filtering tool that is useful with complex traces with numerous ETW providers such as wireless_dbg trace scenario.
## Scenarios
This article applies to any scenario in which Wi-Fi connections fail to establish. The troubleshooter is developed with Windows 10 clients in focus, but also may be useful with traces as far back as Windows 7.
> [!NOTE]
> This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component [Event Tracing for Windows](/windows/desktop/etw/event-tracing-portal) (ETW). It's not meant to be representative of every wireless problem scenario.
Wireless ETW is incredibly verbose and calls out many innocuous errors (rather flagged behaviors that have little or nothing to do with the problem scenario). Searching for or filtering on "err", "error", and "fail" will seldom lead you to the root cause of a problematic Wi-Fi scenario. Instead it will flood the screen with meaningless logs that will obfuscate the context of the actual problem.
It's important to understand the different Wi-Fi components involved, their expected behaviors, and how the problem scenario deviates from those expected behaviors.
The intention of this troubleshooter is to show how to find a starting point in the verbosity of wireless_dbg ETW and home in on the responsible components that are causing the connection problem.
### Known Issues and fixes
| OS version | Fixed in |
| --- | --- |
| **Windows 10, version 1803** | [KB4284848](https://support.microsoft.com/help/4284848) |
| **Windows 10, version 1709** | [KB4284822](https://support.microsoft.com/help/4284822) |
| **Windows 10, version 1703** | [KB4338827](https://support.microsoft.com/help/4338827) |
Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update-history webpage for your system:
- [Windows 10 version 1809](https://support.microsoft.com/help/4464619)
- [Windows 10 version 1803](https://support.microsoft.com/help/4099479)
- [Windows 10 version 1709](https://support.microsoft.com/en-us/help/4043454)
- [Windows 10 version 1703](https://support.microsoft.com/help/4018124)
- [Windows 10 version 1607 and Windows Server 2016](https://support.microsoft.com/help/4000825)
- [Windows 10 version 1511](https://support.microsoft.com/help/4000824)
- [Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/4009470)
- [Windows Server 2012](https://support.microsoft.com/help/4009471)
- [Windows 7 SP1 and Windows Server 2008 R2 SP1](https://support.microsoft.com/help/4009469)
## Data Collection
1. Network Capture with ETW. Enter the following command at an elevated command prompt:
```console
netsh trace start wireless_dbg capture=yes overwrite=yes maxsize=4096 tracefile=c:\tmp\wireless.etl
```
2. Reproduce the issue.
- If there's a failure to establish connection, try to manually connect.
- If it's intermittent but easily reproducible, try to manually connect until it fails. Record the time of each connection attempt, and whether it was a success or failure.
- If the issue is intermittent but rare, netsh trace stop command needs to be triggered automatically (or at least alerted to admin quickly) to ensure trace doesnt overwrite the repro data.
- If intermittent connection drops trigger stop command on a script (ping or test network constantly until fail, then netsh trace stop).
3. Stop the trace by entering the following command:
```console
netsh trace stop
```
4. To convert the output file to text format:
```console
netsh trace convert c:\tmp\wireless.etl
```
See the [example ETW capture](#example-etw-capture) at the bottom of this article for an example of the command output. After running these commands, you'll have three files: wireless.cab, wireless.etl, and wireless.txt.
## Troubleshooting
The following view is a high-level one of the main wifi components in Windows.
|Wi-fi Components|Description|
|--- |--- |
|![Windows Connection Manager](images/wcm.png)|The Windows Connection Manager (Wcmsvc) is closely associated with the UI controls (taskbar icon) to connect to various networks, including wireless networks. It accepts and processes input from the user and feeds it to the core wireless service.|
|![WLAN Autoconfig Service](images/wlan.png)|The WLAN Autoconfig Service (WlanSvc) handles the following core functions of wireless networks in windows:<li> Scanning for wireless networks in range<li>Managing connectivity of wireless networks|
|![Media Specific Module](images/msm.png)|The Media Specific Module (MSM) handles security aspects of connection being established.|
|![Native WiFi stack](images/wifi-stack.png)|The Native WiFi stack consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc.|
|![Wireless miniport](images/miniport.png)|Third-party wireless miniport drivers interface with the upper wireless stack to provide notifications to and receive commands from Windows.|
The wifi connection state machine has the following states:
- Reset
- Ihv_Configuring
- Configuring
- Associating
- Authenticating
- Roaming
- Wait_For_Disconnected
- Disconnected
Standard wifi connections tend to transition between states such as:
- Connecting
Reset --> Ihv_Configuring --> Configuring --> Associating --> Authenticating --> Connected
- Disconnecting
Connected --> Roaming --> Wait_For_Disconnected --> Disconnected --> Reset
Filtering the ETW trace with the [TextAnalysisTool](https://github.com/TextAnalysisTool/Releases) (TAT) is an easy first step to determine where a failed connection setup is breaking down. A useful [wifi filter file](#wifi-filter-file) is included at the bottom of this article.
Use the **FSM transition** trace filter to see the connection state machine. You can see [an example](#textanalysistool-example) of this filter applied in the TAT at the bottom of this page.
An example of a good connection setup is:
```console
44676 [2]0F24.1020::2018-09-17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset
45473 [1]0F24.1020::2018-09-17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv_Configuring
45597 [3]0F24.1020::2018-09-17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv_Configuring to State: Configuring
46085 [2]0F24.17E0::2018-09-17 10:22:14.710 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Configuring to State: Associating
47393 [1]0F24.1020::2018-09-17 10:22:14.879 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Associating to State: Authenticating
49465 [2]0F24.17E0::2018-09-17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Connected
```
An example of a failed connection setup is:
```console
44676 [2]0F24.1020::2018-09-17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset
45473 [1]0F24.1020::2018-09-17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv_Configuring
45597 [3]0F24.1020::2018-09-17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv_Configuring to State: Configuring
46085 [2]0F24.17E0::2018-09-17 10:22:14.710 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Configuring to State: Associating
47393 [1]0F24.1020::2018-09-17 10:22:14.879 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Associating to State: Authenticating
49465 [2]0F24.17E0::2018-09-17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Roaming
```
By identifying the state at which the connection fails, one can focus more specifically in the trace on logs prior to the last known good state.
Examining **[Microsoft-Windows-WLAN-AutoConfig]** logs prior to the bad state change should show evidence of error. Often, however, the error is propagated up through other wireless components.
In many cases the next component of interest will be the MSM, which lies just below Wlansvc.
The important components of the MSM include:
- Security Manager (SecMgr) - handles all pre and post-connection security operations.
- Authentication Engine (AuthMgr) Manages 802.1x auth requests
![MSM details.](images/msmdetails.png)
Each of these components has its own individual state machines that follow specific transitions.
Enable the **FSM transition, SecMgr Transition,** and **AuthMgr Transition** filters in TextAnalysisTool for more detail.
Further to the preceding example, the combined filters look like the following command example:
```console
[2] 0C34.2FF0::08/28/17-13:24:28.693 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Reset to State: Ihv_Configuring
[2] 0C34.2FF0::08/28/17-13:24:28.693 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Ihv_Configuring to State: Configuring
[1] 0C34.2FE8::08/28/17-13:24:28.711 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Configuring to State: Associating
[0] 0C34.275C::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition INACTIVE (1) --> ACTIVE (2)
[0] 0C34.275C::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition ACTIVE (2) --> START AUTH (3)
[4] 0EF8.0708::08/28/17-13:24:28.928 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition ENABLED --> START_AUTH
[3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Associating to State: Authenticating
[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
[4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition START_AUTH --> AUTHENTICATING
[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
[2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
[2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Authenticating to State: Roaming
```
> [!NOTE]
> In the next to last line the SecMgr transition is suddenly deactivating:<br>
>\[2\] 0C34.2FF0::08/28/17-13:24:29.7512788 \[Microsoft-Windows-WLAN-AutoConfig\]Port\[13\] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)<br><br>
>This transition is what eventually propagates to the main connection state machine and causes the Authenticating phase to devolve to Roaming state. As before, it makes sense to focus on tracing prior to this SecMgr behavior to determine the reason for the deactivation.
Enabling the **Microsoft-Windows-WLAN-AutoConfig** filter will show more detail leading to the DEACTIVATE transition:
```console
[3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Associating to State: Authenticating
[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
[4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition START_AUTH --> AUTHENTICATING
[0]0EF8.2EF4::08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PHY_STATE_CHANGE
[0]0EF8.2EF4::08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Change radio state for interface = Intel(R) Centrino(R) Ultimate-N 6300 AGN : PHY = 3, software state = on , hardware state = off )
[0] 0EF8.1174::08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PORT_DOWN
[0] 0EF8.1174::08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]FSM Current state Authenticating , event Upcall_Port_Down
[0] 0EF8.1174:: 08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received IHV PORT DOWN, peer 0x186472F64FD2
[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
[2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
[2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Authenticating to State: Roaming
```
The trail backwards reveals a **Port Down** notification:
\[0\] 0EF8.1174:: 08/28/17-13:24:29.705 \[Microsoft-Windows-WLAN-AutoConfig\]Received IHV PORT DOWN, peer 0x186472F64FD2
Port events indicate changes closer to the wireless hardware. The trail can be followed by continuing to see the origin of this indication.
Below, the MSM is the native wifi stack. These drivers are Windows native wifi drivers that talk to the wifi miniport drivers. It's responsible for converting Wi-Fi (802.11) packets to 802.3 (Ethernet) so that TCPIP and other protocols and can use it.
Enable trace filter for **[Microsoft-Windows-NWifi]:**
```console
[3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Associating to State: Authenticating
[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
[4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x8A1514B62510 AuthMgr Transition START_AUTH --> AUTHENTICATING
[0]0000.0000::08/28/17-13:24:29.127 [Microsoft-Windows-NWiFi]DisAssoc: 0x8A1514B62510 Reason: 0x4
[0]0EF8.2EF4::08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PHY_STATE_CHANGE
[0]0EF8.2EF4::08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Change radio state for interface = Intel(R) Centrino(R) Ultimate-N 6300 AGN : PHY = 3, software state = on , hardware state = off )
[0] 0EF8.1174::08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PORT_DOWN
[0] 0EF8.1174::08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]FSM Current state Authenticating , event Upcall_Port_Down
[0] 0EF8.1174:: 08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received IHV PORT DOWN, peer 0x186472F64FD2
[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
[2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
[2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Authenticating to State: Roaming
```
In the trace above, we see the line:
```console
[0]0000.0000::08/28/17-13:24:29.127 [Microsoft-Windows-NWiFi]DisAssoc: 0x8A1514B62510 Reason: 0x4
```
This line is followed by **PHY_STATE_CHANGE** and **PORT_DOWN** events due to a disassociate coming from the Access Point (AP), as an indication to deny the connection. This denail could be due to invalid credentials, connection parameters, loss of signal/roaming, and various other reasons for aborting a connection. The action here would be to examine the reason for the disassociate sent from the indicated AP MAC (8A:15:14:B6:25:10). This action would be done by examining internal logging/tracing from the AP.
### Resources
[802.11 Wireless Tools and Settings](/previous-versions/windows/it-pro/windows-server-2003/cc755892(v%3dws.10))<br>
[Understanding 802.1X authentication for wireless networks](/previous-versions/windows/it-pro/windows-server-2003/cc759077%28v%3dws.10%29)<br>
## Example ETW capture
```console
C:\tmp>netsh trace start wireless_dbg capture=yes overwrite=yes maxsize=4096 tracefile=c:\tmp\wireless.etl
Trace configuration:
-------------------------------------------------------------------
Status: Running
Trace File: C:\tmp\wireless.etl
Append: Off
Circular: On
Max Size: 4096 MB
Report: Off
C:\tmp>netsh trace stop
Correlating traces ... done
Merging traces ... done
Generating data collection ... done
The trace file and additional troubleshooting information have been compiled as "c:\tmp\wireless.cab".
File location = c:\tmp\wireless.etl
Tracing session was successfully stopped.
C:\tmp>netsh trace convert c:\tmp\wireless.etl
Input file: c:\tmp\wireless.etl
Dump file: c:\tmp\wireless.txt
Dump format: TXT
Report file: -
Generating dump ... done
C:\tmp>dir
Volume in drive C has no label.
Volume Serial Number is 58A8-7DE5
Directory of C:\tmp
01/09/2019 02:59 PM [DIR] .
01/09/2019 02:59 PM [DIR] ..
01/09/2019 02:59 PM 4,855,952 wireless.cab
01/09/2019 02:56 PM 2,752,512 wireless.etl
01/09/2019 02:59 PM 2,786,540 wireless.txt
3 File(s) 10,395,004 bytes
2 Dir(s) 46,648,332,288 bytes free
```
## Wifi filter file
Copy and paste all the lines below and save them into a text file named "wifi.tat." Load the filter file into the TextAnalysisTool by clicking **File > Load Filters**.
```xml
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<TextAnalysisTool.NET version="2018-01-03" showOnlyFilteredLines="False">
<filters>
<filter enabled="n" excluding="n" description="" foreColor="000000" backColor="d3d3d3" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-OneX]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Unknown]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-EapHost]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[]***" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-Winsock-AFD]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-WinHttp]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-WebIO]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-Winsock-NameResolution]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-TCPIP]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-DNS-Client]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-NlaSvc]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-Iphlpsvc-Trace]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-DHCPv6-Client]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-Dhcp-Client]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-NCSI]" />
<filter enabled="y" excluding="n" description="" backColor="90ee90" type="matches_text" case_sensitive="n" regex="n" text="AuthMgr Transition" />
<filter enabled="y" excluding="n" description="" foreColor="0000ff" backColor="add8e6" type="matches_text" case_sensitive="n" regex="n" text="FSM transition" />
<filter enabled="y" excluding="n" description="" foreColor="000000" backColor="dda0dd" type="matches_text" case_sensitive="n" regex="n" text="SecMgr transition" />
<filter enabled="y" excluding="n" description="" foreColor="000000" backColor="f08080" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-NWiFi]" />
<filter enabled="y" excluding="n" description="" foreColor="000000" backColor="ffb6c1" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-WiFiNetworkManager]" />
<filter enabled="y" excluding="n" description="" foreColor="000000" backColor="dda0dd" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-WLAN-AutoConfig]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-NetworkProfile]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-WFP]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-WinINet]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[MSNT_SystemTrace]" />
<filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="Security]Capability" />
</filters>
</TextAnalysisTool.NET>
```
## TextAnalysisTool example
In the following example, the **View** settings are configured to **Show Only Filtered Lines**.
![TAT filter example.](images/tat.png)

62
windows/client-management/mdm/appv-deploy-and-config.md → windows/client-management/appv-deploy-and-config.md
View File

@ -1,10 +1,10 @@
---
title: Deploy and configure App-V apps using MDM
description: Configure, deploy, and manage Microsoft Application Virtualization (App-V) apps using Microsoft Endpoint Manager or App-V server.
description: Configure, deploy, and manage Microsoft Application Virtualization (App-V) apps using Microsoft Intune or App-V server.
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 06/26/2017
ms.reviewer:
@ -15,13 +15,13 @@ manager: aaroncz
## Executive summary
<p>Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using Microsoft Endpoint Manager or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.</p>
<p>Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.</p>
<p>MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.</p>
### EnterpriseAppVManagement CSP node structure
[EnterpriseAppVManagement CSP reference](./enterpriseappvmanagement-csp.md)
[EnterpriseAppVManagement CSP reference](mdm/enterpriseappvmanagement-csp.md)
The following example shows the EnterpriseAppVManagement configuration service provider in tree format.
@ -72,7 +72,7 @@ EnterpriseAppVManagement
<p>Sync command:</p>
[App-V Sync protocol reference]( https://msdn.microsoft.com/enus/library/mt739986.aspx)
[App-V Sync protocol reference](https://msdn.microsoft.com/enus/library/mt739986.aspx)
<p><b>AppVDynamicPolicy</b> - A read/write node that contains the App-V dynamic configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.</p>
@ -85,7 +85,7 @@ EnterpriseAppVManagement
<p>Dynamic policy examples:</p>
[Dynamic configuration processing](/windows/application-management/app-v/appv-application-publishing-and-client-interaction#bkmk-dynamic-config">Dynamic configuration processing)
[Dynamic configuration processing](/windows/application-management/app-v/appv-application-publishing-and-client-interaction#dynamic-configuration-processing)
<p><b>AppVPackageManagement</b> - Primarily read-only App-V package inventory data for MDM servers to query current packages.</p>
@ -114,9 +114,9 @@ EnterpriseAppVManagement
<p>A complete list of App-V policies can be found here:</p>
[ADMX-backed policy reference](./policy-configuration-service-provider.md)
[ADMX-backed policy reference](mdm/policy-configuration-service-provider.md)
[EnterpriseAppVManagement CSP reference](./enterpriseappvmanagement-csp.md)
[EnterpriseAppVManagement CSP reference](mdm/enterpriseappvmanagement-csp.md)
### SyncML examples
@ -147,24 +147,24 @@ EnterpriseAppVManagement
<p>This example shows how to allow package scripts to run during package operations (publish, run, and unpublish). Allowing package scripts helps package deployments (add and publish of App-V apps).</p>
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowPackageScripts</LocURI>
</Target>
<Data><enabled/></Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowPackageScripts</LocURI>
</Target>
<Data><enabled/></Data>
</Item>
</Replace>
```
<p>Complete list of App-V policies can be found here:</p>
[Policy CSP](./policy-configuration-service-provider.md)
[Policy CSP](mdm/policy-configuration-service-provider.md)
#### SyncML with package published for a device (global to all users for that device)
@ -199,11 +199,11 @@ EnterpriseAppVManagement
</Packages>
<NoGroup>
<Package PackageId="565d8479-394d-439c-824d0e09b7ee732c"/>
</NoGroup>
</NoGroup>
</Publishing>
</Data>
</Item>
</Exec>
</Exec>
```
<p>*PackageUrl can be a UNC or HTTP/HTTPS endpoint.</p>
@ -236,7 +236,7 @@ EnterpriseAppVManagement
<Target>[{ProgramFilesX86}]\Skype\Phone\Skype.exe</Target>
<Icon>[{Windows}]\Installer\{FC965A47-4839-40CA-B61818F486F042C6}\SkypeIcon.exe.0.ico</Icon>
<Arguments/>
<WorkingDirectory>[{ProgramFilesX86}]\Skype\</WorkingDirectory>
<WorkingDirectory>[{ProgramFilesX86}]\Skype\</WorkingDirectory>
<AppUserModelId>Skype.Desktop.Application</AppUserModelId>
<Description>Launch Skype</Description>
<ShowCommand>1</ShowCommand>
@ -339,8 +339,8 @@ EnterpriseAppVManagement
</Publishing>
</Data>
</Item>
</Exec>
```
</Exec>
```
#### SyncML for publishing mixed-mode connection group containing global and user-published packages
@ -403,7 +403,7 @@ EnterpriseAppVManagement
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages>
<Packages>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="c68b054c-ff5f-45a6-9b41-788f2194e3c1" PackageId="e9a51aaf-5d9a48df-96e2-3372a278bca4"></Package>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="fd6b51c7-959e-4d04-ac36-a8244a5693d0" PackageId="565d8479-394d-439c-824d0e09b7ee732c"></Package>
</Packages>
@ -419,7 +419,7 @@ EnterpriseAppVManagement
</Publishing>
</Data>
</Item>
</Exec>
</Exec>
```
#### Unpublish example SyncML for all global packages
@ -481,5 +481,5 @@ EnterpriseAppVManagement
<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement?list=StructData</LocURI>
</Target>
</Item>
</Get>
</Get>
```

4
windows/client-management/mdm/assign-seats.md → windows/client-management/assign-seats.md
View File

@ -5,8 +5,8 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/18/2017
---

6
windows/client-management/mdm/azure-active-directory-integration-with-mdm.md → windows/client-management/azure-active-directory-integration-with-mdm.md
View File

@ -5,8 +5,8 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.collection: highpri
---
@ -36,7 +36,7 @@ For personal devices (BYOD):
### Azure AD Join
Company owned devices are traditionally joined to the on-premises Active Directory domain of the organization. These devices can be managed using Group Policy or computer management software such as Microsoft Endpoint Configuration Manager. In Windows 10, its also possible to manage domain joined devices with an MDM.
Company owned devices are traditionally joined to the on-premises Active Directory domain of the organization. These devices can be managed using Group Policy or computer management software such as Microsoft Configuration Manager. In Windows 10, its also possible to manage domain joined devices with an MDM.
Windows 10 introduces a new way to configure and deploy organization owned Windows devices. This mechanism is called Azure AD Join. Like traditional domain join, Azure AD Join allows devices to become known and managed by an organization. However, with Azure AD Join, Windows authenticates to Azure AD instead of authenticating to a domain controller.

14
windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md → windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
View File

@ -3,18 +3,22 @@ title: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Porta
description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new portal
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 12/18/2020
ms.reviewer:
manager: aaroncz
---
# Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal
# Azure AD and Microsoft Intune: Automatic MDM enrollment in the Endpoint Manager admin center
> [!NOTE]
> Microsoft Intune portal can be accessed at the following link: [https://endpoint.microsoft.com](https://endpoint.microsoft.com).
Microsoft Intune can be accessed directly using its own admin center. For more information, go to:
- [Tutorial: Walkthrough Intune in Microsoft Endpoint Manager admin center](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
- Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
If you use the Azure portal, then you can access Intune using the following steps:
1. Go to your Azure AD Blade.
2. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app.

4
windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md → windows/client-management/bulk-assign-and-reclaim-seats-from-user.md
View File

@ -5,8 +5,8 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/18/2017
---

64
windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md → windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
View File

@ -8,15 +8,15 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 06/26/2017
---
# Bulk enrollment
Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and 11 desktop devices, you can use the [Provisioning CSP](provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario.
Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and 11 desktop devices, you can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario.
## Typical use cases
@ -28,12 +28,12 @@ Bulk enrollment is an efficient way to set up a large number of devices to be ma
On the desktop, you can create an Active Directory account, such as "enrollment@contoso.com" and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can sign in to use it. This account is especially useful in getting a large number of desktop ready to use within a domain.
On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as "enroll@contoso.com" and "enrollmentpassword." These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them.
On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as `enroll@contoso.com` and `enrollmentpassword`. These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them.
> [!NOTE]
> - Bulk-join is not supported in Azure Active Directory Join.
> - Bulk enrollment does not work in Intune standalone environment.
> - Bulk enrollment works in Microsoft Endpoint Manager where the ppkg is generated from the Configuration Manager console.
> - Bulk enrollment works in Microsoft Intune where the ppkg is generated from the Configuration Manager console.
> - To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**.
> - Bulk Token creation is not supported with federated accounts.
@ -53,14 +53,14 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro
Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
1. Open the WCD tool.
2. Click **Advanced Provisioning**.
2. Select **Advanced Provisioning**.
![icd start page.](images/bulk-enrollment7.png)
3. Enter a project name and click **Next**.
4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then click **Next**.
5. Skip **Import a provisioning package (optional)** and click **Finish**.
3. Enter a project name and select **Next**.
4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then select **Next**.
5. Skip **Import a provisioning package (optional)** and select **Finish**.
6. Expand **Runtime settings** &gt; **Workplace**.
7. Click **Enrollments**, enter a value in **UPN**, and then click **Add**.
7. Select **Enrollments**, enter a value in **UPN**, and then select **Add**.
The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
8. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process.
Here's the list of available settings:
@ -69,13 +69,13 @@ Using the WCD, create a provisioning package using the enrollment information re
- **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank.
- **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
- **Secret** - Password
For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md).
For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md).
Here's the screenshot of the WCD at this point.
![bulk enrollment screenshot.](images/bulk-enrollment.png)
9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** &gt; **ConnectivityProfiles** &gt; **WLANSetting**).
10. When you're done adding all the settings, on the **File** menu, click **Save**.
11. On the main menu, click **Export** &gt; **Provisioning package**.
10. When you're done adding all the settings, on the **File** menu, select **Save**.
11. On the main menu, select **Export** &gt; **Provisioning package**.
![icd menu for export.](images/bulk-enrollment2.png)
12. Enter the values for your package and specify the package output location.
@ -83,7 +83,7 @@ Using the WCD, create a provisioning package using the enrollment information re
![enter package information.](images/bulk-enrollment3.png)
![enter additional information for package information.](images/bulk-enrollment4.png)
![specify file location.](images/bulk-enrollment6.png)
13. Click **Build**.
13. Select **Build**.
![icb build window.](images/bulk-enrollment5.png)
14. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
@ -94,13 +94,13 @@ Using the WCD, create a provisioning package using the enrollment information re
Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
1. Open the WCD tool.
2. Click **Advanced Provisioning**.
3. Enter a project name and click **Next**.
2. Select **Advanced Provisioning**.
3. Enter a project name and select **Next**.
4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows editions.
5. Skip **Import a provisioning package (optional)** and click **Finish**.
5. Skip **Import a provisioning package (optional)** and select **Finish**.
6. Specify the certificate.
1. Go to **Runtime settings** &gt; **Certificates** &gt; **ClientCertificates**.
2. Enter a **CertificateName** and then click **Add**.
2. Enter a **CertificateName** and then select **Add**.
3. Enter the **CertificatePasword**.
4. For **CertificatePath**, browse and select the certificate to be used.
5. Set **ExportCertificate** to False.
@ -109,7 +109,7 @@ Using the WCD, create a provisioning package using the enrollment information re
![icd certificates section.](images/bulk-enrollment8.png)
7. Specify the workplace settings.
1. Got to **Workplace** &gt; **Enrollments**.
2. Enter the **UPN** for the enrollment and then click **Add**.
2. Enter the **UPN** for the enrollment and then select **Add**.
The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
3. On the left column, expand the **UPN** and then enter the information for the rest of the settings for enrollment process.
Here's the list of available settings:
@ -118,34 +118,34 @@ Using the WCD, create a provisioning package using the enrollment information re
- **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank.
- **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
- **Secret** - the certificate thumbprint.
For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md).
For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md).
8. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** &gt; **ConnectivityProfiles** &gt; **WLANSetting**).
9. When you're done adding all the settings, on the **File** menu, click **Save**.
9. When you're done adding all the settings, on the **File** menu, select **Save**.
10. Export and build the package (steps 10-13 in the procedure above).
11. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
12. Apply the package to your devices.
## Apply a provisioning package
Here's the list of topics about applying a provisioning package:
Here's the list of articles about applying a provisioning package:
- [Apply a package on the first-run setup screen (out-of-the-box experience)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment#apply-package) - topic in Technet.
- [Apply a package to a Windows desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image) - topic in MSDN
- [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - topic below
- [Apply a package on the first-run setup screen (out-of-the-box experience)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment#apply-package)
- [Apply a package to a Windows desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image)
- [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - article below
## Apply a package from the Settings menu
1. Go to **Settings** &gt; **Accounts** &gt; **Access work or school**.
2. Click **Add or remove a provisioning package**.
3. Click **Add a package**.
2. Select **Add or remove a provisioning package**.
3. Select **Add a package**.
## <a href="" id="validate-that-the-provisioning-package-was-applied-"></a>Validate that the provisioning package was applied
1. Go to **Settings** &gt; **Accounts** &gt; **Access work or school**.
2. Click **Add or remove a provisioning package**.
2. Select **Add or remove a provisioning package**.
You should see your package listed.
## Retry logic in case of a failure
## Retry logic if there's a failure
If the provisioning engine receives a failure from a CSP, it will retry to provision three times in a row.
@ -155,9 +155,9 @@ It will also retry to apply the provisioning each time it's launched, if started
In addition, provisioning will be restarted in a SYSTEM context after a sign in and the system has been idle ([details on idle conditions](/windows/win32/taskschd/task-idle-conditions)).
## Other provisioning topics
## Other provisioning articles
Here are links to step-by-step provisioning topics in Technet.
Here are links to step-by-step provisioning articles:
- [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps)
- [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment)

4
windows/client-management/mdm/certificate-authentication-device-enrollment.md → windows/client-management/certificate-authentication-device-enrollment.md
View File

@ -5,8 +5,8 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 06/26/2017
---

18
windows/client-management/mdm/certificate-renewal-windows-mdm.md → windows/client-management/certificate-renewal-windows-mdm.md
View File

@ -8,8 +8,8 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 06/26/2017
---
@ -30,18 +30,18 @@ Windows supports automatic certificate renewal, also known as Renew On Behalf Of
Auto certificate renewal is the only supported MDM client certificate renewal method for the device that's enrolled using WAB authentication. Meaning, the AuthPolicy is set to Federated. It also means if the server supports WAB authentication, then the MDM certificate enrollment server MUST also support client TLS to renew the MDM client certificate.
For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSPs](certificatestore-csp.md) ROBOSupport node under CertificateStore/My/WSTEP/Renew URL.
For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSPs](mdm/certificatestore-csp.md) ROBOSupport node under CertificateStore/My/WSTEP/Renew URL.
With automatic renewal, the PKCS\#7 message content isnt b64 encoded separately. With manual certificate renewal, there's an additional b64 encoding for PKCS\#7 message content.
During the automatic certificate renewal process, if the root certificate isnt trusted by the device, the authentication will fail. Use one of device pre-installed root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](certificatestore-csp.md).
During the automatic certificate renewal process, if the root certificate isnt trusted by the device, the authentication will fail. Use one of device pre-installed root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](mdm/certificatestore-csp.md).
During the automatic certificate renew process, the device will deny HTTP redirect request from the server. It won't deny the request if the same redirect URL that the user accepted during the initial MDM enrollment process is used.
The following example shows the details of an automatic renewal request.
```xml
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
@ -62,7 +62,7 @@ The following example shows the details of an automatic renewal request.
<o:UsernameToken u:Id="uuid-2a734df6-b227-4e60-82a8-ed53c574b718-5">
<o:Username>user@contoso.com</o:Username>
<o:Password o:Type=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">
</o:Password>
</o:UsernameToken>
</o:Security>
@ -73,9 +73,9 @@ The following example shows the details of an automatic renewal request.
http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
</TokenType>
<RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Renew</RequestType>
<BinarySecurityToken
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#PKCS7"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
<BinarySecurityToken
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#PKCS7"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
BinarySecurityTokenInsertedHere
</BinarySecurityToken>

3
windows/client-management/change-default-removal-policy-external-storage-media.md
View File

@ -1,7 +1,7 @@
---
title: Windows 10 default media removal policy
description: In Windows 10, version 1809, the default removal policy for external storage media changed from Better performance to Quick removal.
ms.prod: w10
ms.prod: windows-client
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 11/25/2020
@ -13,6 +13,7 @@ ms.custom:
audience: ITPro
ms.localizationpriority: medium
manager: kaushika
ms.technology: itpro-manage
---
# Change in default removal policy for external storage media in Windows 10, version 1809

317
windows/client-management/change-history-for-mdm-documentation.md Normal file
View File

@ -0,0 +1,317 @@
---
title: Change history for MDM documentation
description: This article lists new and updated articles for Mobile Device Management.
author: vinaypamnani-msft
ms.author: vinpa
ms.reviewer:
manager: aaroncz
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
ms.localizationpriority: medium
ms.date: 11/06/2020
---
# Change history for Mobile Device Management documentation
As of November 2020 This page will no longer be updated. This article lists new and updated articles for the Mobile Device Management (MDM) documentation. Updated articles are those articles that had content addition, removal, or corrections—minor fixes, such as correction of typos, style, or formatting issues aren't listed.
## November 2020
|New or updated article | Description|
|--- | ---|
| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following new policy:<br>- [Multitasking/BrowserAltTabBlowout](mdm/policy-csp-multitasking.md#multitasking-browseralttabblowout) |
| [SurfaceHub CSP](mdm/surfacehub-csp.md) | Added the following new node:<br>-Properties/SleepMode |
## October 2020
|New or updated article | Description|
|--- | ---|
| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following new policies<br>- [Experience/DisableCloudOptimizedContent](mdm/policy-csp-experience.md#experience-disablecloudoptimizedcontent)<br>- [LocalUsersAndGroups/Configure](mdm/policy-csp-localusersandgroups.md#localusersandgroups-configure)<br>- [MixedReality/AADGroupMembershipCacheValidityInDays](mdm/policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)<br>- [MixedReality/BrightnessButtonDisabled](mdm/policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)<br>- [MixedReality/FallbackDiagnostics](mdm/policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)<br>- [MixedReality/MicrophoneDisabled](mdm/policy-csp-mixedreality.md#mixedreality-microphonedisabled)<br>- [MixedReality/VolumeButtonDisabled](mdm/policy-csp-mixedreality.md#mixedreality-volumebuttondisabled)<br>- [Update/DisableWUfBSafeguards](mdm/policy-csp-update.md#update-disablewufbsafeguards)<br>- [WindowsSandbox/AllowAudioInput](mdm/policy-csp-windowssandbox.md#windowssandbox-allowaudioinput)<br>- [WindowsSandbox/AllowClipboardRedirection](mdm/policy-csp-windowssandbox.md#windowssandbox-allowclipboardredirection)<br>- [WindowsSandbox/AllowNetworking](mdm/policy-csp-windowssandbox.md#windowssandbox-allownetworking)<br>- [WindowsSandbox/AllowPrinterRedirection](mdm/policy-csp-windowssandbox.md#windowssandbox-allowprinterredirection)<br>- [WindowsSandbox/AllowVGPU](mdm/policy-csp-windowssandbox.md#windowssandbox-allowvgpu)<br>- [WindowsSandbox/AllowVideoInput](mdm/policy-csp-windowssandbox.md#windowssandbox-allowvideoinput) |
## September 2020
|New or updated article | Description|
|--- | ---|
|[NetworkQoSPolicy CSP](mdm/networkqospolicy-csp.md)|Updated support information of the NetworkQoSPolicy CSP.|
|[Policy CSP - LocalPoliciesSecurityOptions](mdm/policy-csp-localpoliciessecurityoptions.md)|Removed the following unsupported LocalPoliciesSecurityOptions policy settings from the documentation:<br>- RecoveryConsole_AllowAutomaticAdministrativeLogon <br>- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways<br>- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible<br>- DomainMember_DisableMachineAccountPasswordChanges<br>- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems<br>|
## August 2020
|New or updated article | Description|
|--- | ---|
|[Policy CSP - System](mdm/policy-csp-system.md)|Removed the following policy settings:<br> - System/AllowDesktopAnalyticsProcessing <br>- System/AllowMicrosoftManagedDesktopProcessing <br> - System/AllowUpdateComplianceProcessing<br> - System/AllowWUfBCloudProcessing <br>|
## July 2020
|New or updated article | Description|
|--- | ---|
|[Policy CSP - System](mdm/policy-csp-system.md)|Added the following new policy settings:<br> - System/AllowDesktopAnalyticsProcessing <br>- System/AllowMicrosoftManagedDesktopProcessing <br> - System/AllowUpdateComplianceProcessing<br> - System/AllowWUfBCloudProcessing <br> <br><br>Updated the following policy setting:<br>- <a href="mdm/policy-csp-system.md#system-allowcommercialdatapipeline" id="system-allowcommercialdatapipeline">System/AllowCommercialDataPipeline</a> <br>|
## June 2020
|New or updated article | Description|
|--- | ---|
|[BitLocker CSP](mdm/bitlocker-csp.md)|Added SKU support table for **AllowStandardUserEncryption**.|
|[Policy CSP - NetworkIsolation](mdm/policy-csp-networkisolation.md)|Updated the description from Boolean to Integer for the following policy settings:<br>EnterpriseIPRangesAreAuthoritative, EnterpriseProxyServersAreAuthoritative.|
## May 2020
|New or updated article | Description|
|--- | ---|
|[BitLocker CSP](mdm/bitlocker-csp.md)|Added the bitmask table for the Status/DeviceEncryptionStatus node.|
|[Policy CSP - RestrictedGroups](mdm/policy-csp-restrictedgroups.md)| Updated the topic with more details. Added policy timeline table.
## February 2020
|New or updated article | Description|
|--- | ---|
|[CertificateStore CSP](mdm/certificatestore-csp.md)<br>[ClientCertificateInstall CSP](mdm/clientcertificateinstall-csp.md)|Added details about SubjectName value.|
## January 2020
|New or updated article | Description|
|--- | ---|
|[Policy CSP - Defender](mdm/policy-csp-defender.md)|Added descriptions for supported actions for Defender/ThreatSeverityDefaultAction.|
## November 2019
|New or updated article | Description|
|--- | ---|
|[Policy CSP - DeliveryOptimization](mdm/policy-csp-deliveryoptimization.md)|Added option 5 in the supported values list for DeliveryOptimization/DOGroupIdSource.|
|[DiagnosticLog CSP](mdm/diagnosticlog-csp.md)|Added substantial updates to this CSP doc.|
## October 2019
|New or updated article | Description|
|--- | ---|
|[BitLocker CSP](mdm/bitlocker-csp.md)|Added the following new nodes:<br>ConfigureRecoveryPasswordRotation, RotateRecoveryPasswords, RotateRecoveryPasswordsStatus, RotateRecoveryPasswordsRequestID.|
|[Defender CSP](mdm/defender-csp.md)|Added the following new nodes:<br>Health/TamperProtectionEnabled, Health/IsVirtualMachine, Configuration, Configuration/TamperProtection, Configuration/EnableFileHashComputation.|
## September 2019
|New or updated article | Description|
|--- | ---|
|[EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md)|Added the following new node:<br>IsStub.|
|[Policy CSP - Defender](mdm/policy-csp-defender.md)|Updated the supported value list for Defender/ScheduleScanDay policy.|
|[Policy CSP - DeviceInstallation](mdm/policy-csp-deviceinstallation.md)|Added the following new policies: <br>DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs, DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs.|
## August 2019
|New or updated article | Description|
|--- | ---|
|[DiagnosticLog CSP](mdm/diagnosticlog-csp.md)<br>[DiagnosticLog DDF](mdm/diagnosticlog-ddf.md)|Added version 1.4 of the CSP in Windows 10, version 1903. Added the new 1.4 version of the DDF. Added the following new nodes:<br>Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelName/MaximumFileSize, Policy/Channels/ChannelName/SDDL, Policy/Channels/ChannelName/ActionWhenFull, Policy/Channels/ChannelName/Enabled, DiagnosticArchive, DiagnosticArchive/ArchiveDefinition, DiagnosticArchive/ArchiveResults.|
|[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)|Enhanced the article to include more reference links and the following two topics:<br>Verify auto-enrollment requirements and settings, Troubleshoot auto-enrollment of devices.|
## July 2019
|New or updated article | Description|
|--- | ---|
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following list:<br>Policies supported by HoloLens 2|
|[ApplicationControl CSP](mdm/applicationcontrol-csp.md)|Added new CSP in Windows 10, version 1903.|
|[PassportForWork CSP](mdm/passportforwork-csp.md)|Added the following new nodes in Windows 10, version 1903:<br>SecurityKey, SecurityKey/UseSecurityKeyForSignin|
|[Policy CSP - Privacy](mdm/policy-csp-privacy.md)|Added the following new policies:<br>LetAppsActivateWithVoice, LetAppsActivateWithVoiceAboveLock|
|Create a custom configuration service provider|Deleted the following documents from the CSP reference because extensibility via CSPs isn't currently supported:<br>Create a custom configuration service provider<br>Design a custom configuration service provider<br>IConfigServiceProvider2<br>IConfigServiceProvider2::ConfigManagerNotification<br>IConfigServiceProvider2::GetNode<br>ICSPNode<br>ICSPNode::Add<br>ICSPNode::Clear<br>ICSPNode::Copy<br>ICSPNode::DeleteChild<br>ICSPNode::DeleteProperty<br>ICSPNode::Execute<br>ICSPNode::GetChildNodeNames<br>ICSPNode::GetProperty<br>ICSPNode::GetPropertyIdentifiers<br>ICSPNode::GetValue<br>ICSPNode::Move<br>ICSPNode::SetProperty<br>ICSPNode::SetValue<br>ICSPNodeTransactioning<br>ICSPValidate<br>Samples for writing a custom configuration service provider.|
## June 2019
|New or updated article | Description|
|--- | ---|
|[Policy CSP - DeviceHealthMonitoring](mdm/policy-csp-devicehealthmonitoring.md)|Added the following new policies:<br>AllowDeviceHealthMonitoring, ConfigDeviceHealthMonitoringScope, ConfigDeviceHealthMonitoringUploadDestination.|
|[Policy CSP - TimeLanguageSettings](mdm/policy-csp-timelanguagesettings.md)|Added the following new policy:<br>ConfigureTimeZone.|
## May 2019
|New or updated article | Description|
|--- | ---|
|[DeviceStatus CSP](mdm/devicestatus-csp.md)|Updated description of the following nodes:<br>DeviceStatus/Antivirus/SignatureStatus, DeviceStatus/Antispyware/SignatureStatus.|
|[EnrollmentStatusTracking CSP](mdm/enrollmentstatustracking-csp.md)|Added new CSP in Windows 10, version 1903.|
|[Policy CSP - DeliveryOptimization](mdm/policy-csp-deliveryoptimization.md)|Added the following new policies:<br> DODelayCacheServerFallbackBackground, DODelayCacheServerFallbackForeground.<br><br>Updated description of the following policies:<br>DOMinRAMAllowedToPeer, DOMinFileSizeToCache, DOMinDiskSizeAllowedToPeer.|
|[Policy CSP - Experience](mdm/policy-csp-experience.md)|Added the following new policy:<br>ShowLockOnUserTile.|
|[Policy CSP - InternetExplorer](mdm/policy-csp-internetexplorer.md)|Added the following new policies:<br>AllowEnhancedSuggestionsInAddressBar, DisableActiveXVersionListAutoDownload, DisableCompatView, DisableFeedsBackgroundSync, DisableGeolocation, DisableWebAddressAutoComplete, NewTabDefaultPage.|
|[Policy CSP - Power](mdm/policy-csp-power.md)|Added the following new policies:<br>EnergySaverBatteryThresholdOnBattery, EnergySaverBatteryThresholdPluggedIn, SelectLidCloseActionOnBattery, SelectLidCloseActionPluggedIn, SelectPowerButtonActionOnBattery, SelectPowerButtonActionPluggedIn, SelectSleepButtonActionOnBattery, SelectSleepButtonActionPluggedIn, TurnOffHybridSleepOnBattery, TurnOffHybridSleepPluggedIn, UnattendedSleepTimeoutOnBattery, UnattendedSleepTimeoutPluggedIn.|
|[Policy CSP - Search](mdm/policy-csp-search.md)|Added the following new policy:<br>AllowFindMyFiles.|
|[Policy CSP - ServiceControlManager](mdm/policy-csp-servicecontrolmanager.md)|Added the following new policy:<br>SvchostProcessMitigation.|
|[Policy CSP - System](mdm/policy-csp-system.md)|Added the following new policies:<br>AllowCommercialDataPipeline, TurnOffFileHistory.|
|[Policy CSP - Troubleshooting](mdm/policy-csp-troubleshooting.md)|Added the following new policy:<br>AllowRecommendations.|
|[Policy CSP - Update](mdm/policy-csp-update.md)|Added the following new policies:<br>AutomaticMaintenanceWakeUp, ConfigureDeadlineForFeatureUpdates, ConfigureDeadlineForQualityUpdates, ConfigureDeadlineGracePeriod, ConfigureDeadlineNoAutoReboot.|
|[Policy CSP - WindowsLogon](mdm/policy-csp-windowslogon.md)|Added the following new policies:<br>AllowAutomaticRestartSignOn, ConfigAutomaticRestartSignOn, EnableFirstLogonAnimation.<br><br>Removed the following policy:<br>SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart. This policy is replaced by AllowAutomaticRestartSignOn.|
## April 2019
| New or updated article | Description |
|-------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md) | Added the following warning at the end of the Overview section:<br>Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it doesn't. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined. |
| [Policy CSP - UserRights](mdm/policy-csp-userrights.md) | Added a note stating if you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag (<![CDATA[...]]>) to wrap the data fields. |
## March 2019
|New or updated article | Description|
|--- | ---|
|[Policy CSP - Storage](mdm/policy-csp-storage.md)|Updated ADMX Info of the following policies:<br>AllowStorageSenseGlobal, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseCloudContentDehydrationThreshold, ConfigStorageSenseDownloadsCleanupThreshold, ConfigStorageSenseGlobalCadence, ConfigStorageSenseRecycleBinCleanupThreshold. <br><br>Updated description of ConfigStorageSenseDownloadsCleanupThreshold.|
## February 2019
|New or updated article | Description|
|--- | ---|
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Updated supported policies for Holographic.|
## January 2019
|New or updated article | Description|
|--- | ---|
|[Policy CSP - Storage](mdm/policy-csp-storage.md)|Added the following new policies: AllowStorageSenseGlobal, ConfigStorageSenseGlobalCadence, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseRecycleBinCleanupThreshold, ConfigStorageSenseDownloadsCleanupThreshold, and ConfigStorageSenseCloudContentCleanupThreshold.|
|[SharedPC CSP](mdm/sharedpc-csp.md)|Updated values and supported operations.|
|[Mobile device management](mdm/index.yml)|Updated information about MDM Security Baseline.|
## December 2018
|New or updated article | Description|
|--- | ---|
|[BitLocker CSP](mdm/bitlocker-csp.md)|Updated AllowWarningForOtherDiskEncryption policy description to describe silent and non-silent encryption scenarios, as well as where and how the recovery key is backed up for each scenario.|
## September 2018
|New or updated article | Description|
|--- | ---|
|[Policy CSP - DeviceGuard](mdm/policy-csp-deviceguard.md) | Updated ConfigureSystemGuardLaunch policy and replaced EnableSystemGuard with it.|
## August 2018
|New or updated article|Description|
|--- |--- |
|[BitLocker CSP](mdm/bitlocker-csp.md)|Added support for Windows 10 Pro starting in the version 1809.|
|[Office CSP](mdm/office-csp.md)|Added FinalStatus setting in Windows 10, version 1809.|
|[RemoteWipe CSP](mdm/remotewipe-csp.md)|Added new settings in Windows 10, version 1809.|
|[TenantLockdown CSP](mdm/tenantlockdown-csp.md)|Added new CSP in Windows 10, version 1809.|
|[WindowsDefenderApplicationGuard CSP](mdm/windowsdefenderapplicationguard-csp.md)|Added new settings in Windows 10, version 1809.|
|[Policy DDF file](mdm/policy-ddf-file.md)|Posted an updated version of the Policy DDF for Windows 10, version 1809.|
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies in Windows 10, version 1809:<li>Browser/AllowFullScreenMode<li>Browser/AllowPrelaunch<li>Browser/AllowPrinting<li>Browser/AllowSavingHistory<li>Browser/AllowSideloadingOfExtensions<li>Browser/AllowTabPreloading<li>Browser/AllowWebContentOnNewTabPage<li>Browser/ConfigureFavoritesBar<li>Browser/ConfigureHomeButton<li>Browser/ConfigureKioskMode<li>Browser/ConfigureKioskResetAfterIdleTimeout<li>Browser/ConfigureOpenMicrosoftEdgeWith<li>Browser/ConfigureTelemetryForMicrosoft365Analytics<li>Browser/PreventCertErrorOverrides<li>Browser/SetHomeButtonURL<li>Browser/SetNewTabPageURL<li>Browser/UnlockHomeButton<li>Experience/DoNotSyncBrowserSettings<li>Experience/PreventUsersFromTurningOnBrowserSyncing<li>Kerberos/UPNNameHints<li>Privacy/AllowCrossDeviceClipboard<li>Privacy<li>DisablePrivacyExperience<li>Privacy/UploadUserActivities<li>System/AllowDeviceNameInDiagnosticData<li>System/ConfigureMicrosoft365UploadEndpoint<li>System/DisableDeviceDelete<li>System/DisableDiagnosticDataViewer<li>Storage/RemovableDiskDenyWriteAccess<li>Update/UpdateNotificationLevel<br/><br/>Start/DisableContextMenus - added in Windows 10, version 1803.<br/><br/>RestrictedGroups/ConfigureGroupMembership - added new schema to apply and retrieve the policy.|
## July 2018
|New or updated article|Description|
|--- |--- |
|[AssignedAccess CSP](mdm/assignedaccess-csp.md)|Added the following note:<br/><br/>You can only assign one single app kiosk profile to an individual user account on a device. The single app profile doesn't support domain groups.|
|[PassportForWork CSP](mdm/passportforwork-csp.md)|Added new settings in Windows 10, version 1809.|
|[EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md)|Added NonRemovable setting under AppManagement node in Windows 10, version 1809.|
|[Win32CompatibilityAppraiser CSP](mdm/win32compatibilityappraiser-csp.md)|Added new configuration service provider in Windows 10, version 1809.|
|[WindowsLicensing CSP](mdm/windowslicensing-csp.md)|Added S mode settings and SyncML examples in Windows 10, version 1809.|
|[SUPL CSP](mdm/supl-csp.md)|Added three new certificate nodes in Windows 10, version 1809.|
|[Defender CSP](mdm/defender-csp.md)|Added a new node Health/ProductStatus in Windows 10, version 1809.|
|[BitLocker CSP](mdm/bitlocker-csp.md)|Added a new node AllowStandardUserEncryption in Windows 10, version 1809.|
|[DevDetail CSP](mdm/devdetail-csp.md)|Added a new node SMBIOSSerialNumber in Windows 10, version 1809.|
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies in Windows 10, version 1809:<li>ApplicationManagement/LaunchAppAfterLogOn<li>ApplicationManagement/ScheduleForceRestartForUpdateFailures <li>Authentication/EnableFastFirstSignIn (Preview mode only)<li>Authentication/EnableWebSignIn (Preview mode only)<li>Authentication/PreferredAadTenantDomainName<li>Defender/CheckForSignaturesBeforeRunningScan<li>Defender/DisableCatchupFullScan <li>Defender/DisableCatchupQuickScan <li>Defender/EnableLowCPUPriority<li>Defender/SignatureUpdateFallbackOrder<li>Defender/SignatureUpdateFileSharesSources<li>DeviceGuard/ConfigureSystemGuardLaunch<li>DeviceInstallation/AllowInstallationOfMatchingDeviceIDs<li>DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses<li>DeviceInstallation/PreventDeviceMetadataFromNetwork<li>DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings<li>DmaGuard/DeviceEnumerationPolicy<li>Experience/AllowClipboardHistory<li>Security/RecoveryEnvironmentAuthentication<li>TaskManager/AllowEndTask<li>WindowsDefenderSecurityCenter/DisableClearTpmButton<li>WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning<li>WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl<li>WindowsLogon/DontDisplayNetworkSelectionUI<br/><br/>Recent changes:<li>DataUsage/SetCost3G - deprecated in Windows 10, version 1809.|
## June 2018
|New or updated article|Description|
|--- |--- |
|[Wifi CSP](mdm/wifi-csp.md)|Added a new node WifiCost in Windows 10, version 1809.|
|[Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)|Recent changes:<li>Added procedure for collecting logs remotely from Windows 10 Holographic.<li>Added procedure for downloading the MDM Diagnostic Information log.|
|[BitLocker CSP](mdm/bitlocker-csp.md)|Added new node AllowStandardUserEncryption in Windows 10, version 1809.|
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Recent changes:<li>AccountPoliciesAccountLockoutPolicy<li>AccountLockoutDuration - removed from docs. Not supported.<li>AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold - removed from docs. Not supported.<li>AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter - removed from docs. Not supported.<li>LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers - removed from docs. Not supported.<li>System/AllowFontProviders isn't supported in HoloLens (first gen) Commercial Suite.<li>Security/RequireDeviceEncryption is supported in the Home SKU.<li>Start/StartLayout - added a table of SKU support information.<li>Start/ImportEdgeAssets - added a table of SKU support information.<br/><br/>Added the following new policies in Windows 10, version 1809:<li>Update/EngagedRestartDeadlineForFeatureUpdates<li>Update/EngagedRestartSnoozeScheduleForFeatureUpdates<li>Update/EngagedRestartTransitionScheduleForFeatureUpdates<li>Update/SetDisablePauseUXAccess<li>Update/SetDisableUXWUAccess|
|[WiredNetwork CSP](mdm/wirednetwork-csp.md)|New CSP added in Windows 10, version 1809.|
## May 2018
|New or updated article|Description|
|--- |--- |
|[Policy DDF file](mdm/policy-ddf-file.md)|Updated the DDF files in the Windows 10 version 1703 and 1709.<li>[Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)<li>[Download the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)|
## April 2018
|New or updated article|Description|
|--- |--- |
|[WindowsDefenderApplicationGuard CSP](mdm/windowsdefenderapplicationguard-csp.md)|Added the following node in Windows 10, version 1803:<li>Settings/AllowVirtualGPU<li>Settings/SaveFilesToHost|
|[NetworkProxy CSP](mdm/networkproxy-csp.md)|Added the following node in Windows 10, version 1803:<li>ProxySettingsPerUser|
|[Accounts CSP](mdm/accounts-csp.md)|Added a new CSP in Windows 10, version 1803.|
|[CSP DDF files download](mdm/configuration-service-provider-ddf.md)|Added the DDF download of Windows 10, version 1803 configuration service providers.|
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:<li>Bluetooth/AllowPromptedProximalConnections<li>KioskBrowser/EnableEndSessionButton<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers|
## March 2018
|New or updated article|Description|
|--- |--- |
|[eUICCs CSP](mdm/euiccs-csp.md)|Added the following node in Windows 10, version 1803:<li>IsEnabled|
|[DeviceStatus CSP](mdm/devicestatus-csp.md)|Added the following node in Windows 10, version 1803:<li>OS/Mode|
|[Understanding ADMX-backed policies](understanding-admx-backed-policies.md)|Added the following videos:<li>[How to create a custom xml to enable an ADMX-backed policy and deploy the XML in Intune](https://www.microsoft.com/showcase/video.aspx?uuid=bdc9b54b-11b0-4bdb-a022-c339d16e7121)<li>[How to import a custom ADMX file to a device using Intune](https://www.microsoft.com/showcase/video.aspx?uuid=a59888b1-429f-4a49-8570-c39a143d9a73)|
|[AccountManagement CSP](mdm/accountmanagement-csp.md)|Added a new CSP in Windows 10, version 1803.|
|[RootCATrustedCertificates CSP](mdm/rootcacertificates-csp.md)|Added the following node in Windows 10, version 1803:<li>UntrustedCertificates|
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:<li>ApplicationDefaults/EnableAppUriHandlers<li>ApplicationManagement/MSIAllowUserControlOverInstall<li>ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges<li>Connectivity/AllowPhonePCLinking<li>Notifications/DisallowCloudNotification<li>Notifications/DisallowTileNotification<li>RestrictedGroups/ConfigureGroupMembership<br/><br/>The following existing policies were updated:<li>Browser/AllowCookies - updated the supported values. There are three values - 0, 1, 2.<li>InternetExplorer/AllowSiteToZoneAssignmentList - updated the description and added an example SyncML<li>TextInput/AllowIMENetworkAccess - introduced new suggestion services in Japanese IME in addition to cloud suggestion.<br/><br/>Added a new section:<li>[[Policies in Policy CSP supported by Group Policy](mdm/policies-in-policy-csp-supported-by-group-policy.md) - list of policies in Policy CSP that has corresponding Group Policy. The policy description contains the GP information, such as GP policy name and variable name.|
|[Policy CSP - Bluetooth](mdm/policy-csp-bluetooth.md)|Added new section [ServicesAllowedList usage guide](mdm/policy-csp-bluetooth.md#servicesallowedlist-usage-guide).|
|[MultiSIM CSP](mdm/multisim-csp.md)|Added SyncML examples and updated the settings descriptions.|
|[RemoteWipe CSP](mdm/remotewipe-csp.md)|Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.|
## February 2018
|New or updated article|Description|
|--- |--- |
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:<li>Display/DisablePerProcessDpiForApps<li>Display/EnablePerProcessDpi<li>Display/EnablePerProcessDpiForApps<li>Experience/AllowWindowsSpotlightOnSettings<li>TextInput/ForceTouchKeyboardDockedState<li>TextInput/TouchKeyboardDictationButtonAvailability<li>TextInput/TouchKeyboardEmojiButtonAvailability<li>TextInput/TouchKeyboardFullModeAvailability<li>TextInput/TouchKeyboardHandwritingModeAvailability<li>TextInput/TouchKeyboardNarrowModeAvailability<li>TextInput/TouchKeyboardSplitModeAvailability<li>TextInput/TouchKeyboardWideModeAvailability|
|[VPNv2 ProfileXML XSD](mdm/vpnv2-profile-xsd.md)|Updated the XSD and Plug-in profile example for VPNv2 CSP.|
|[AssignedAccess CSP](mdm/assignedaccess-csp.md)|Added the following nodes in Windows 10, version 1803:<li>Status<li>ShellLauncher<li>StatusConfiguration<br/><br/>Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (first gen) Commercial Suite. Added example for HoloLens (first gen) Commercial Suite.|
|[MultiSIM CSP](mdm/multisim-csp.md)|Added a new CSP in Windows 10, version 1803.|
|[EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md)|Added the following node in Windows 10, version 1803:<li>MaintainProcessorArchitectureOnUpdate|
## January 2018
|New or updated article|Description|
|--- |--- |
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:<li>Browser/AllowConfigurationUpdateForBooksLibrary<li>Browser/AlwaysEnableBooksLibrary<li>Browser/EnableExtendedBooksTelemetry<li>Browser/UseSharedFolderForBooks<li>DeliveryOptimization/DODelayBackgroundDownloadFromHttp<li>DeliveryOptimization/DODelayForegroundDownloadFromHttp<li>DeliveryOptimization/DOGroupIdSource<li>DeliveryOptimization/DOPercentageMaxBackDownloadBandwidth<li>DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth<li>DeliveryOptimization/DORestrictPeerSelectionBy<li>DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth<li>DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth<li>KioskBrowser/BlockedUrlExceptions<li>KioskBrowser/BlockedUrls<li>KioskBrowser/DefaultURL<li>KioskBrowser/EnableHomeButton<li>KioskBrowser/EnableNavigationButtons<li>KioskBrowser/RestartOnIdleTime<li>LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon<li>LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia<li>LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters<li>LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly<li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM<li>LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange<li>LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers<li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile<li>LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation<li>LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode<li>RestrictedGroups/ConfigureGroupMembership<li>Search/AllowCortanaInAAD<li>Search/DoNotUseWebResults<li>Security/ConfigureWindowsPasswords<li>System/FeedbackHubAlwaysSaveDiagnosticsLocally<li>SystemServices/ConfigureHomeGroupListenerServiceStartupMode<li>SystemServices/ConfigureHomeGroupProviderServiceStartupMode<li>SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode<li>SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode<li>SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode<li>SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode<li>TaskScheduler/EnableXboxGameSaveTask<li>TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode<li>Update/ConfigureFeatureUpdateUninstallPeriod<li>UserRights/AccessCredentialManagerAsTrustedCaller<li>UserRights/AccessFromNetwork<li>UserRights/ActAsPartOfTheOperatingSystem<li>UserRights/AllowLocalLogOn<li>UserRights/BackupFilesAndDirectories<li>UserRights/ChangeSystemTime<li>UserRights/CreateGlobalObjects<li>UserRights/CreatePageFile<li>UserRights/CreatePermanentSharedObjects<li>UserRights/CreateSymbolicLinks<li>UserRights/CreateToken<li>UserRights/DebugPrograms<li>UserRights/DenyAccessFromNetwork<li>UserRights/DenyLocalLogOn<li>UserRights/DenyRemoteDesktopServicesLogOn<li>UserRights/EnableDelegation<li>UserRights/GenerateSecurityAudits<li>UserRights/ImpersonateClient<li>UserRights/IncreaseSchedulingPriority<li>UserRights/LoadUnloadDeviceDrivers<li>UserRights/LockMemory<li>UserRights/ManageAuditingAndSecurityLog<li>UserRights/ManageVolume<li>UserRights/ModifyFirmwareEnvironment<li>UserRights/ModifyObjectLabel<li>UserRights/ProfileSingleProcess<li>UserRights/RemoteShutdown<li>UserRights/RestoreFilesAndDirectories<li>UserRights/TakeOwnership<li>WindowsDefenderSecurityCenter/DisableAccountProtectionUI<li>WindowsDefenderSecurityCenter/DisableDeviceSecurityUI<li>WindowsDefenderSecurityCenter/HideRansomwareDataRecovery<li>WindowsDefenderSecurityCenter/HideSecureBoot<li>WindowsDefenderSecurityCenter/HideTPMTroubleshooting<br/><br/>Added the following policies in Windows 10, version 1709<li>DeviceLock/MinimumPasswordAge<li>Settings/AllowOnlineTips<li>System/DisableEnterpriseAuthProxy<br/><br/>Security/RequireDeviceEncryption - updated to show it's supported in desktop.|
|[BitLocker CSP](mdm/bitlocker-csp.md)|Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.|
|[EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md)|Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.|
|[DMClient CSP](mdm/dmclient-csp.md)|Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:<li>AADSendDeviceToken<li>BlockInStatusPage<li>AllowCollectLogsButton<li>CustomErrorText<li>SkipDeviceStatusPage<li>SkipUserStatusPage|
|[Defender CSP](mdm/defender-csp.md)|Added new node (OfflineScan) in Windows 10, version 1803.|
|[UEFI CSP](mdm/uefi-csp.md)|Added a new CSP in Windows 10, version 1803.|
|[Update CSP](mdm/update-csp.md)|Added the following nodes in Windows 10, version 1803:<li>Rollback<li>Rollback/FeatureUpdate<li>Rollback/QualityUpdateStatus<li>Rollback/FeatureUpdateStatus|
## December 2017
|New or updated article|Description|
|--- |--- |
|[Configuration service provider reference](mdm/index.yml)|Added new section [CSP DDF files download](mdm/configuration-service-provider-ddf.md)|
## November 2017
|New or updated article|Description|
|--- |--- |
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following policies for Windows 10, version 1709:<li>Authentication/AllowFidoDeviceSignon<li>Cellular/LetAppsAccessCellularData<li>Cellular/LetAppsAccessCellularData_ForceAllowTheseApps<li>Cellular/LetAppsAccessCellularData_ForceDenyTheseApps<li>Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps<li>Start/HidePeopleBar<li>Storage/EnhancedStorageDevices<li>Update/ManagePreviewBuilds<li>WirelessDisplay/AllowMdnsAdvertisement<li>WirelessDisplay/AllowMdnsDiscovery<br/><br/>Added missing policies from previous releases:<li>Connectivity/DisallowNetworkConnectivityActiveTest<li>Search/AllowWindowsIndexer|
## October 2017
| New or updated article | Description |
| --- | --- |
| [Policy DDF file](mdm/policy-ddf-file.md) | Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709. |
| [Policy CSP](mdm/policy-configuration-service-provider.md) | Updated the following policies:<br/><br/>- Defender/ControlledFolderAccessAllowedApplications - string separator is `|` <br/>- Defender/ControlledFolderAccessProtectedFolders - string separator is `|` |
| [eUICCs CSP](mdm/euiccs-csp.md) | Added new CSP in Windows 10, version 1709. |
| [AssignedAccess CSP](mdm/assignedaccess-csp.md) | Added SyncML examples for the new Configuration node. |
| [DMClient CSP](mdm/dmclient-csp.md) | Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics. |
## September 2017
|New or updated article|Description|
|--- |--- |
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1709:<li>Authentication/AllowAadPasswordReset<li>Handwriting/PanelDefaultModeDocked<li>Search/AllowCloudSearch<li>System/LimitEnhancedDiagnosticDataWindowsAnalytics<br/><br/>Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709.|
|[AssignedAccess CSP](mdm/assignedaccess-csp.md)|Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.|
|Microsoft Store for Business and Microsoft Store|Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.|
|The [[MS-MDE2]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692)|The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:<li>UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.<li>ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.<li>DomainName - fully qualified domain name if the device is domain-joined.<br/><br/>For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.|
|[EnterpriseAPN CSP](mdm/enterpriseapn-csp.md)|Added a SyncML example.|
|[VPNv2 CSP](mdm/vpnv2-csp.md)|Added RegisterDNS setting in Windows 10, version 1709.|
|[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)|Added new topic to introduce a new Group Policy for automatic MDM enrollment.|
|[MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)|New features in the Settings app:<li>User sees installation progress of critical policies during MDM enrollment.<li>User knows what policies, profiles, apps MDM has configured<li>IT helpdesk can get detailed MDM diagnostic information using client tools<br/><br/>For details, see [Managing connections](mdm-enrollment-of-windows-devices.md#manage-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)|
## August 2017
|New or updated article|Description|
|--- |--- |
|[Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md)|Added new step-by-step guide to enable ADMX-backed policies.|
|[Mobile device enrollment](mobile-device-enrollment.md)|Added the following statement:<br/><br/>Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.|
|[CM_CellularEntries CSP](mdm/cm-cellularentries-csp.md)|Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.|
|[EnterpriseDataProtection CSP](mdm/enterprisedataprotection-csp.md)|Updated the Settings/EDPEnforcementLevel values to the following values:<li> 0 (default) Off / No protection (decrypts previously protected data).<li> 1 Silent mode (encrypt and audit only).<li> 2 Allow override mode (encrypt, prompt and allow overrides, and audit).<li> 3 Hides overrides (encrypt, prompt but hide overrides, and audit).|
|[AppLocker CSP](mdm/applocker-csp.md)|Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Allowlist examples](mdm/applocker-csp.md#allow-list-examples).|
|[DeviceManageability CSP](mdm/devicemanageability-csp.md)|Added the following settings in Windows 10, version 1709:<li>Provider/ProviderID/ConfigInfo<li> Provider/ProviderID/EnrollmentInfo|
|[Office CSP](mdm/office-csp.md)|Added the following setting in Windows 10, version 1709:<li>Installation/CurrentStatus|
|[BitLocker CSP](mdm/bitlocker-csp.md)|Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to four digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.|
|[Firewall CSP](mdm/firewall-csp.md)|Updated the CSP and DDF topics. Here are the changes:<li>Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.<li>Changed some data types from integer to bool.<li>Updated the list of supported operations for some settings.<li>Added default values.|
|[Policy DDF file](mdm/policy-ddf-file.md)|Added another Policy DDF file [download](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:<li>Browser/AllowMicrosoftCompatibilityList<li>Update/DisableDualScan<li>Update/FillEmptyContentUrls|
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1709:<li>Browser/ProvisionFavorites<li>Browser/LockdownFavorites<li>ExploitGuard/ExploitProtectionSettings<li>Games/AllowAdvancedGamingServices<li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts<li>LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly<li>LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount<li>LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount<li>LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL<li>LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests<li>LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn<li>LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations<li>LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode<li>LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation<li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations<li>Privacy/EnableActivityFeed<li>Privacy/PublishUserActivities<li>Update/DisableDualScan<li>Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork<br/><br/>Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials.<br/><br/>Changed the names of the following policies:<li>Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications<li>Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders<li>Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess<br/><br/>Added links to the extra [ADMX-backed BitLocker policies](mdm/policy-csp-bitlocker.md).<br/><br/>There were issues reported with the previous release of the following policies. These issues were fixed in Windows 10, version 1709:<li>Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts<li>Start/HideAppList|

96
windows/client-management/mdm/config-lock.md → windows/client-management/config-lock.md
View File

@ -4,8 +4,8 @@ description: A secured-core PC (SCPC) feature that prevents configuration drift
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w11
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 05/24/2022
---
@ -38,10 +38,10 @@ Config lock will be available for all Windows Professional and Enterprise Editio
Config lock isn't enabled by default, or turned on by the OS during boot. Rather, you need to turn it on.
The steps to turn on config lock using Microsoft Endpoint Manager (Microsoft Intune) are as follows:
The steps to turn on config lock using Microsoft Intune are as follows:
1. Ensure that the device to turn on config lock is enrolled in Microsoft Intune.
1. From the Microsoft Intune portal main page, select **Devices** > **Configuration Profiles** > **Create a profile**.
1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Configuration Profiles** > **Create a profile**.
1. Select the following and press **Create**:
- **Platform**: Windows 10 and later
- **Profile type**: Templates
@ -81,50 +81,50 @@ Config lock is designed to ensure that a secured-core PC isn't unintentionally m
|**CSPs** |
|-----|
|[BitLocker](bitlocker-csp.md) |
|[PassportForWork](passportforwork-csp.md) |
|[WindowsDefenderApplicationGuard](windowsdefenderapplicationguard-csp.md) |
|[ApplicationControl](applicationcontrol-csp.md)
|[BitLocker](mdm/bitlocker-csp.md) |
|[PassportForWork](mdm/passportforwork-csp.md) |
|[WindowsDefenderApplicationGuard](mdm/windowsdefenderapplicationguard-csp.md) |
|[ApplicationControl](mdm/applicationcontrol-csp.md)
|**MDM policies** | **Supported by Group Policy** |
|-----|-----|
|[DataProtection/AllowDirectMemoryAccess](policy-csp-dataprotection.md) | No |
|[DataProtection/LegacySelectiveWipeID](policy-csp-dataprotection.md) | No |
|[DeviceGuard/ConfigureSystemGuardLaunch](policy-csp-deviceguard.md) | Yes |
|[DeviceGuard/EnableVirtualizationBasedSecurity](policy-csp-deviceguard.md) | Yes |
|[DeviceGuard/LsaCfgFlags](policy-csp-deviceguard.md) | Yes |
|[DeviceGuard/RequirePlatformSecurityFeatures](policy-csp-deviceguard.md) | Yes |
|[DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) | Yes |
|[DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) | Yes |
|[DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) | Yes |
|[DeviceInstallation/PreventDeviceMetadataFromNetwork](policy-csp-deviceinstallation.md) | Yes |
|[DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](policy-csp-deviceinstallation.md) | Yes |
|[DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) | Yes |
|[DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) | Yes |
|[DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) | Yes |
|[DmaGuard/DeviceEnumerationPolicy](policy-csp-dmaguard.md) | Yes |
|[WindowsDefenderSecurityCenter/CompanyName](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableAccountProtectionUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableAppBrowserUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableClearTpmButton](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableEnhancedNotifications](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableFamilyUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableHealthUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableNetworkUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableNotifications](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](policy-csp-windowsdefendersecuritycenter.md)| Yes |
|[WindowsDefenderSecurityCenter/DisableVirusUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/Email](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/EnableCustomizedToasts](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/EnableInAppCustomization](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/HideSecureBoot](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/HideTPMTroubleshooting](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/Phone](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/URL](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[SmartScreen/EnableAppInstallControl](policy-csp-smartscreen.md)| Yes |
|[SmartScreen/EnableSmartScreenInShell](policy-csp-smartscreen.md) | Yes |
|[SmartScreen/PreventOverrideForFilesInShell](policy-csp-smartscreen.md) | Yes |
|[DataProtection/AllowDirectMemoryAccess](mdm/policy-csp-dataprotection.md) | No |
|[DataProtection/LegacySelectiveWipeID](mdm/policy-csp-dataprotection.md) | No |
|[DeviceGuard/ConfigureSystemGuardLaunch](mdm/policy-csp-deviceguard.md) | Yes |
|[DeviceGuard/EnableVirtualizationBasedSecurity](mdm/policy-csp-deviceguard.md) | Yes |
|[DeviceGuard/LsaCfgFlags](mdm/policy-csp-deviceguard.md) | Yes |
|[DeviceGuard/RequirePlatformSecurityFeatures](mdm/policy-csp-deviceguard.md) | Yes |
|[DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](mdm/policy-csp-deviceinstallation.md) | Yes |
|[DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](mdm/policy-csp-deviceinstallation.md) | Yes |
|[DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](mdm/policy-csp-deviceinstallation.md) | Yes |
|[DeviceInstallation/PreventDeviceMetadataFromNetwork](mdm/policy-csp-deviceinstallation.md) | Yes |
|[DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](mdm/policy-csp-deviceinstallation.md) | Yes |
|[DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](mdm/policy-csp-deviceinstallation.md) | Yes |
|[DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](mdm/policy-csp-deviceinstallation.md) | Yes |
|[DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](mdm/policy-csp-deviceinstallation.md) | Yes |
|[DmaGuard/DeviceEnumerationPolicy](mdm/policy-csp-dmaguard.md) | Yes |
|[WindowsDefenderSecurityCenter/CompanyName](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableAccountProtectionUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableAppBrowserUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableClearTpmButton](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableEnhancedNotifications](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableFamilyUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableHealthUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableNetworkUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableNotifications](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](mdm/policy-csp-windowsdefendersecuritycenter.md)| Yes |
|[WindowsDefenderSecurityCenter/DisableVirusUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/Email](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/EnableCustomizedToasts](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/EnableInAppCustomization](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/HideSecureBoot](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/HideTPMTroubleshooting](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/Phone](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/URL](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[SmartScreen/EnableAppInstallControl](mdm/policy-csp-smartscreen.md)| Yes |
|[SmartScreen/EnableSmartScreenInShell](mdm/policy-csp-smartscreen.md) | Yes |
|[SmartScreen/PreventOverrideForFilesInShell](mdm/policy-csp-smartscreen.md) | Yes |

3
windows/client-management/connect-to-remote-aadj-pc.md
View File

@ -1,7 +1,7 @@
---
title: Connect to remote Azure Active Directory-joined PC (Windows)
description: You can use Remote Desktop Connection to connect to an Azure AD-joined PC.
ms.prod: w10
ms.prod: windows-client
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.author: vinpa
@ -10,6 +10,7 @@ ms.reviewer:
manager: aaroncz
ms.topic: article
ms.collection: highpri
ms.technology: itpro-manage
---
# Connect to remote Azure Active Directory-joined PC

382
windows/client-management/data-collection-for-802-authentication.md
View File

@ -1,382 +0,0 @@
---
title: Data collection for troubleshooting 802.1X authentication
ms.reviewer:
manager: dansimp
description: Use the steps in this article to collect data that can be used to troubleshoot 802.1X authentication issues.
ms.prod: w10
author: dansimp
ms.localizationpriority: medium
ms.author: dansimp
ms.topic: troubleshooting
---
# Data collection for troubleshooting 802.1X authentication
Use the following steps to collect data that can be used to troubleshoot 802.1X authentication issues. When you have collected data, see [Advanced troubleshooting 802.1X authentication](advanced-troubleshooting-802-authentication.md).
## Capture wireless/wired functionality logs
Use the following steps to collect wireless and wired logs on Windows and Windows Server:
1. Create C:\MSLOG on the client machine to store captured logs.
2. Launch an elevated command prompt on the client machine, and run the following commands to start a RAS trace log and a Wireless/Wired scenario log.
**Wireless Windows 8.1, Windows 10, and Windows 11:**
```
netsh ras set tracing * enabled
netsh trace start scenario=wlan,wlan_wpp,wlan_dbg,wireless_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl
```
<br>**Wireless Windows 7 and Windows 8:**
```
netsh ras set tracing * enabled
netsh trace start scenario=wlan,wlan_wpp,wlan_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl
```
<br>**Wired client, regardless of version**
```
netsh ras set tracing * enabled
netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_cli.etl
```
3. Run the following command to enable CAPI2 logging and increase the size:
```
wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
wevtutil sl Microsoft-Windows-CAPI2/Operational /ms:104857600
```
4. Create C:\MSLOG on the NPS to store captured logs.
5. Launch an elevated command prompt on the NPS server and run the following commands to start a RAS trace log and a Wireless/Wired scenario log:
**Windows Server 2012 R2, Windows Server 2016 wireless network:**
```
netsh ras set tracing * enabled
netsh trace start scenario=wlan,wlan_wpp,wlan_dbg,wireless_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl
```
<br>**Windows Server 2008 R2, Windows Server 2012 wireless network**
```
netsh ras set tracing * enabled
netsh trace start scenario=wlan,wlan_wpp,wlan_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl
```
<br>**Wired network**
```
netsh ras set tracing * enabled
netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_nps.etl
```
6. Run the following command to enable CAPI2 logging and increase the size:
```
wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
wevtutil sl Microsoft-Windows-CAPI2/Operational /ms:104857600
```
7. Run the following command from the command prompt on the client machine and start PSR to capture screen images:
> [!NOTE]
> When the mouse button is clicked, the cursor will blink in red while capturing a screen image.
```
psr /start /output c:\MSLOG\%computername%_psr.zip /maxsc 100
```
8. Repro the issue.
9. Run the following command on the client PC to stop the PSR capturing:
```
psr /stop
```
10. Run the following commands from the command prompt on the NPS server.
- To stop RAS trace log and wireless scenario log:
```
netsh trace stop
netsh ras set tracing * disabled
```
- To disable and copy CAPI2 log:
```
wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false
wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx
```
11. Run the following commands on the client PC.
- To stop RAS trace log and wireless scenario log:
```
netsh trace stop
netsh ras set tracing * disabled
```
- To disable and copy the CAPI2 log:
```
wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false
wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx
```
12. Save the following logs on the client and the NPS:
**Client**
- C:\MSLOG\%computername%_psr.zip
- C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx
- C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl
- C:\MSLOG\%COMPUTERNAME%_wireless_cli.cab
- All log files and folders in %Systemroot%\Tracing
**NPS**
- C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx
- C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl (%COMPUTERNAME%_wired_nps.etl for wired scenario)
- C:\MSLOG\%COMPUTERNAME%_wireless_nps.cab (%COMPUTERNAME%_wired_nps.cab for wired scenario)
- All log files and folders in %Systemroot%\Tracing
## Save environment and configuration information
### On Windows client
1. Create C:\MSLOG to store captured logs.
2. Launch a command prompt as an administrator.
3. Run the following commands.
- Environment information and Group Policy application status
```
gpresult /H C:\MSLOG\%COMPUTERNAME%_gpresult.htm
msinfo32 /report c:\MSLOG\%COMPUTERNAME%_msinfo32.txt
ipconfig /all > c:\MSLOG\%COMPUTERNAME%_ipconfig.txt
route print > c:\MSLOG\%COMPUTERNAME%_route_print.txt
```
- Event logs
```
wevtutil epl Application c:\MSLOG\%COMPUTERNAME%_Application.evtx
wevtutil epl System c:\MSLOG\%COMPUTERNAME%_System.evtx
wevtutil epl Security c:\MSLOG\%COMPUTERNAME%_Security.evtx
wevtutil epl Microsoft-Windows-GroupPolicy/Operational C:\MSLOG\%COMPUTERNAME%_GroupPolicy_Operational.evtx
wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%_Microsoft-Windows-WLAN-AutoConfig-Operational.evtx
wevtutil epl "Microsoft-Windows-Wired-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%_Microsoft-Windows-Wired-AutoConfig-Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-CredentialRoaming_Operational.evtx
wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%_CertPoleEng_Operational.evtx
```
- For Windows 8 and later, also run these commands for event logs:
```
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-System_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-User_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServices-Deployment_Operational.evtx
```
- Certificates Store information:
```
certutil -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%_cert-Personal-Registry.txt
certutil -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-Registry.txt
certutil -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-GroupPolicy.txt
certutil -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_TrustedRootCA-Enterprise.txt
certutil -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Reg.txt
certutil -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-GroupPolicy.txt
certutil -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Enterprise.txt
certutil -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-Registry.txt
certutil -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-GroupPolicy.txt
certutil -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%_cert-Intermediate-Enterprise.txt
certutil -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Registry.txt
certutil -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-GroupPolicy.txt
certutil -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Enterprise.txt
certutil -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Registry.txt
certutil -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-GroupPolicy.txt
certutil -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Enterprise.txt
certutil -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%_cert-NtAuth-Enterprise.txt
certutil -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%_cert-User-Personal-Registry.txt
certutil -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Registry.txt
certutil -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Enterprise.txt
certutil -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-Registry.txt
certutil -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-GroupPolicy.txt
certutil -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-Registry.txt
certutil -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-GroupPolicy.txt
certutil -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-Registry.txt
certutil -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-GroupPolicy.txt
certutil -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-Registry.txt
certutil -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-GroupPolicy.txt
certutil -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-Registry.txt
certutil -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-GroupPolicy.txt
certutil -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%_cert-User-UserDS.txt
```
- Wireless LAN client information:
```
netsh wlan show all > c:\MSLOG\%COMPUTERNAME%_wlan_show_all.txt
netsh wlan export profile folder=c:\MSLOG\
```
- Wired LAN Client information
```
netsh lan show interfaces > c:\MSLOG\%computername%_lan_interfaces.txt
netsh lan show profiles > c:\MSLOG\%computername%_lan_profiles.txt
netsh lan show settings > c:\MSLOG\%computername%_lan_settings.txt
netsh lan export profile folder=c:\MSLOG\
```
4. Save the logs stored in C:\MSLOG.
### On NPS
1. Create C:\MSLOG to store captured logs.
2. Launch a command prompt as an administrator.
3. Run the following commands.
- Environmental information and Group Policies application status:
```
gpresult /H C:\MSLOG\%COMPUTERNAME%_gpresult.txt
msinfo32 /report c:\MSLOG\%COMPUTERNAME%_msinfo32.txt
ipconfig /all > c:\MSLOG\%COMPUTERNAME%_ipconfig.txt
route print > c:\MSLOG\%COMPUTERNAME%_route_print.txt
```
- Event logs:
```
wevtutil epl Application c:\MSLOG\%COMPUTERNAME%_Application.evtx
wevtutil epl System c:\MSLOG\%COMPUTERNAME%_System.evtx
wevtutil epl Security c:\MSLOG\%COMPUTERNAME%_Security.evtx
wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%_GroupPolicy_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-CredentialRoaming_Operational.evtx
wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%_CertPoleEng_Operational.evtx
```
- Run the following commands on Windows Server 2012 and later:
```
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-System_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-User_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServices-Deployment_Operational.evtx
```
- Certificates store information
```
certutil -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%_cert-Personal-Registry.txt
certutil -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-Registry.txt
certutil -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-GroupPolicy.txt
certutil -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_TrustedRootCA-Enterprise.txt
certutil -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Reg.txt
certutil -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-GroupPolicy.txt
certutil -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Enterprise.txt
certutil -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-Registry.txt
certutil -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-GroupPolicy.txt
certutil -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%_cert-Intermediate-Enterprise.txt
certutil -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Registry.txt
certutil -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-GroupPolicy.txt
certutil -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Enterprise.txt
certutil -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Registry.txt
certutil -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-GroupPolicy.txt
certutil -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Enterprise.txt
certutil -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%_cert-NtAuth-Enterprise.txt
certutil -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%_cert-User-Personal-Registry.txt
certutil -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Registry.txt
certutil -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Enterprise.txt
certutil -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-Registry.txt
certutil -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-GroupPolicy.txt
certutil -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-Registry.txt
certutil -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-GroupPolicy.txt
certutil -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-Registry.txt
certutil -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-GroupPolicy.txt
certutil -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-Registry.txt
certutil -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-GroupPolicy.txt
certutil -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-Registry.txt
certutil -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-GroupPolicy.txt
certutil -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%_cert-User-UserDS.txt
```
- NPS configuration information:
```
netsh nps show config > C:\MSLOG\%COMPUTERNAME%_nps_show_config.txt
netsh nps export filename=C:\MSLOG\%COMPUTERNAME%_nps_export.xml exportPSK=YES
```
3. Take the following steps to save an NPS accounting log.
1. Open **Administrative tools > Network Policy Server**.
2. On the Network Policy Server administration tool, select **Accounting** in the left pane.
3. Click **Change Log File Properties**.
4. On the **Log File** tab, note the log file naming convention shown as **Name** and the log file location shown in **Directory** box.
5. Copy the log file to C:\MSLOG.
4. Save the logs stored in C:\MSLOG.
## Certification Authority (CA) (OPTIONAL)
1. On a CA, launch a command prompt as an administrator. Create C:\MSLOG to store captured logs.
2. Run the following commands.
- Environmental information and Group Policies application status
```
gpresult /H C:\MSLOG\%COMPUTERNAME%_gpresult.txt
msinfo32 /report c:\MSLOG\%COMPUTERNAME%_msinfo32.txt
ipconfig /all > c:\MSLOG\%COMPUTERNAME%_ipconfig.txt
route print > c:\MSLOG\%COMPUTERNAME%_route_print.txt
```
- Event logs
```
wevtutil epl Application c:\MSLOG\%COMPUTERNAME%_Application.evtx
wevtutil epl System c:\MSLOG\%COMPUTERNAME%_System.evtx
wevtutil epl Security c:\MSLOG\%COMPUTERNAME%_Security.evtx
wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%_GroupPolicy_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-CredentialRoaming_Operational.evtx
wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%_CertPoleEng_Operational.evtx
```
- Run the following lines on Windows 2012 and up
```
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-System_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-User_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServices-Deployment_Operational.evtx
```
- Certificates store information
```
certutil -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%_cert-Personal-Registry.txt
certutil -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-Registry.txt
certutil -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-GroupPolicy.txt
certutil -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_TrustedRootCA-Enterprise.txt
certutil -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Reg.txt
certutil -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-GroupPolicy.txt
certutil -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Enterprise.txt
certutil -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-Registry.txt
certutil -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-GroupPolicy.txt
certutil -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%_cert-Intermediate-Enterprise.txt
certutil -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Registry.txt
certutil -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-GroupPolicy.txt
certutil -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Enterprise.txt
certutil -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Registry.txt
certutil -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-GroupPolicy.txt
certutil -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Enterprise.txt
certutil -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%_cert-NtAuth-Enterprise.txt
certutil -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%_cert-User-Personal-Registry.txt
certutil -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Registry.txt
certutil -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Enterprise.txt
certutil -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-Registry.txt
certutil -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-GroupPolicy.txt
certutil -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-Registry.txt
certutil -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-GroupPolicy.txt
certutil -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-Registry.txt
certutil -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-GroupPolicy.txt
certutil -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-Registry.txt
certutil -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-GroupPolicy.txt
certutil -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-Registry.txt
certutil -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-GroupPolicy.txt
certutil -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%_cert-User-UserDS.txt
```
- CA configuration information
```
reg save HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%_CertSvc.hiv
reg export HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%_CertSvc.txt
reg save HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%_Cryptography.hiv
reg export HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%_Cryptography.txt
```
3. Copy the following files, if exist, to C:\MSLOG: %windir%\CAPolicy.inf
4. Sign in to a domain controller and create C:\MSLOG to store captured logs.
5. Launch Windows PowerShell as an administrator.
6. Run the following PowerShell cmdlets. Replace the domain name in ";.. ,DC=test,DC=local"; with appropriate domain name. The example shows commands for "; test.local"; domain.
```powershell
Import-Module ActiveDirectory
Get-ADObject -SearchBase ";CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"; -Filter * -Properties * | fl * > C:\MSLOG\Get-ADObject_$Env:COMPUTERNAME.txt
```
7. Save the following logs.
- All files in C:\MSLOG on the CA
- All files in C:\MSLOG on the domain controller

4
windows/client-management/mdm/data-structures-windows-store-for-business.md → windows/client-management/data-structures-windows-store-for-business.md
View File

@ -8,8 +8,8 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/18/2017
---

129
windows/client-management/determine-appropriate-page-file-size.md
View File

@ -1,129 +0,0 @@
---
title: How to determine the appropriate page file size for 64-bit versions of Windows
description: Learn how to determine the appropriate page file size for 64-bit versions of Windows.
ms.prod: w10
ms.topic: troubleshooting
author: Deland-Han
ms.localizationpriority: medium
ms.author: delhan
ms.date: 8/28/2019
ms.reviewer: dcscontentpm
manager: dansimp
ms.collection: highpri
---
# How to determine the appropriate page file size for 64-bit versions of Windows
Page file sizing depends on the system crash dump setting requirements and the peak usage or expected peak usage of the system commit charge. Both considerations are unique to each system, even for systems that are identical. This uniqueness means that page file sizing is also unique to each system and can't be generalized.
## Determine the appropriate page file size
Use the following considerations for page file sizing for all versions of Windows and Windows Server.
### Crash dump setting
If you want a crash dump file to be created during a system crash, a page file or a dedicated dump file must exist and be large enough to back up the system crash dump setting. Otherwise, a system memory dump file isn't created.
For more information, see [Support for system crash dumps](introduction-page-file.md#support-for-system-crash-dumps) section.
### Peak system commit charge
The system commit charge can't exceed the system commit limit. This limit is the sum of physical memory (RAM) and all page files combined. If no page files exist, the system commit limit is slightly less than the physical memory that is installed. Peak system-committed memory usage can vary greatly between systems. Therefore, physical memory and page file sizing also vary.
### Quantity of infrequently accessed pages
The purpose of a page file is to *back* (support) infrequently accessed modified pages so that they can be removed from physical memory. This removal provides more available space for more frequently accessed pages. The "\Memory\Modified Page List Bytes" performance counter measures, in part, the number of infrequently accessed modified pages that are destined for the hard disk. However, not all the memory on the modified page list is written out to disk. Typically, several hundred megabytes of memory remains resident on the modified list. Therefore, consider extending or adding a page file if all the following conditions are true:
- More available physical memory (\Memory\Available MBytes) is required.
- The modified page list contains a significant amount of memory.
- The existing page files are fairly full (\Paging Files(*)\% Usage).
## Support for system crash dumps
A system crash (also known as a “bug check” or a "Stop error") occurs when the system can't run correctly. The dump file that is produced from this event is called a system crash dump. A page file or dedicated dump file is used to write a crash dump file (Memory.dmp) to disk. Therefore, a page file or a dedicated dump file must be large enough to support the kind of crash dump selected. Otherwise, the system can't create the crash dump file.
>[!Note]
>During startup, system-managed page files are sized respective to the system crash dump settings. This assumes that enough free disk space exists.
|System crash dump setting |Minimum page file size requirement|
|-----------|-------------------|
|Small memory dump (256 KB) |1 MB|
|Kernel memory dump |Depends on kernel virtual memory usage|
|Complete memory dump |1 x RAM plus 257 MB*|
|Automatic memory dump |Depends on kernel virtual memory usage. For details, see Automatic memory dump.|
\* 1 MB of header data and device drivers can total 256 MB of secondary crash dump data.
The **Automatic memory dump** setting is enabled by default. This setting is an alternative to a kind of crash dump. This setting automatically selects the best page file size, depending on the frequency of system crashes.
The Automatic memory dump feature initially selects a small paging file size. It would accommodate the kernel memory most of the time. If the system crashes again within four weeks, the Automatic memory dump feature sets the page file size as either the RAM size or 32 GB, whichever is smaller.
Kernel memory crash dumps require enough page file space or dedicated dump file space to accommodate the kernel mode side of virtual memory usage. If the system crashes again within four weeks of the previous crash, a Complete memory dump is selected at restart. This dump requires a page file or dedicated dump file of at least the size of physical memory (RAM) plus 1 MB for header information plus 256 MB for potential driver data to support all the potential data that is dumped from memory. Again, the system-managed page file will be increased to back this kind of crash dump. If the system is configured to have a page file or a dedicated dump file of a specific size, make sure that the size is sufficient to back the crash dump setting that is listed in the table earlier in this section together with and the peak system commit charge.
### Dedicated dump files
Computers that are running Microsoft Windows or Microsoft Windows Server usually must have a page file to support a system crash dump. System administrators can now create a dedicated dump file instead.
A dedicated dump file is a page file that isn't used for paging. Instead, it is “dedicated” to back a system crash dump file (Memory.dmp) when a system crash occurs. Dedicated dump files can be put on any disk volume that can support a page file. We recommend that you use a dedicated dump file if you want a system crash dump but you don't want a page file. To learn how to create it, see [Overview of memory dump file options for Windows](/troubleshoot/windows-server/performance/memory-dump-file-options).
## System-managed page files
By default, page files are system-managed. This system management means that the page files increase and decrease based on many factors, such as the amount of physical memory installed, the process of accommodating the system commit charge, and the process of accommodating a system crash dump.
For example, when the system commit charge is more than 90 percent of the system commit limit, the page file is increased to back it. This surge continues to occur until the page file reaches three times the size of physical memory or 4 GB, whichever is larger. Therefore, it's assumes that the logical disk that is hosting the page file is large enough to accommodate the growth.
The following table lists the minimum and maximum page file sizes of system-managed page files in Windows 10 and Windows 11.
|Minimum page file size |Maximum page file size|
|---------------|------------------|
|Varies based on page file usage history, amount of RAM (RAM ÷ 8, max 32 GB) and crash dump settings. |3 × RAM or 4 GB, whichever is larger. This size is then limited to the volume size ÷ 8. However, it can grow to within 1 GB of free space on the volume if necessary for crash dump settings.|
## Performance counters
Several performance counters are related to page files. This section describes the counters and what they measure.
### \Memory\Page/sec and other hard page fault counters
The following performance counters measure hard page faults (which include, but aren't limited to, page file reads):
- \Memory\Page/sec
- \Memory\Page Reads/sec
- \Memory\Page Inputs/sec
The following performance counters measure page file writes:
- \Memory\Page Writes/sec
- \Memory\Page Output/sec
Hard page faults are faults that must be resolved by retrieving the data from disk. Such data can include portions of DLLs, .exe files, memory-mapped files, and page files. These faults might or might not be related to a page file or to a low-memory condition. Hard page faults are a standard function of the operating system. They occur when the following items are read:
- Parts of image files (.dll and .exe files) as they're used
- Memory-mapped files
- A page file
High values for these counters (excessive paging) indicate disk access of generally 4 KB per page fault on x86 and x64 versions of Windows and Windows Server. This disk access might or might not be related to page file activity but may contribute to poor disk performance that can cause system-wide delays if the related disks are overwhelmed.
Therefore, we recommend that you monitor the disk performance of the logical disks that host a page file in correlation with these counters. A system that has a sustained 100 hard page faults per second experiences 400 KB per second disk transfers. Most 7,200-RPM disk drives can handle about 5 MB per second at an IO size of 16 KB or 800 KB per second at an IO size of 4 KB. No performance counter directly measures which logical disk the hard page faults are resolved for.
### \Paging File(*)\% Usage
The \Paging File(*)\% Usage performance counter measures the percentage of usage of each page file. 100 percent usage of a page file doesn't indicate a performance problem as long as the system commit limit isn't reached by the system commit charge, and if a significant amount of memory isn't waiting to be written to a page file.
>[!Note]
>The size of the Modified Page List (\Memory\Modified Page List Bytes) is the total of modified data that is waiting to be written to disk.
If the Modified Page List (a list of physical memory pages that are the least frequently accessed) contains lots of memory, and if the **% Usage** value of all page files is greater than 90, you can make more physical memory available for more frequently access pages by increasing or adding a page file.
>[!Note]
>Not all the memory on the modified page list is written out to disk. Typically, several hundred megabytes of memory remains resident on the modified list.
## Multiple page files and disk considerations
If a system is configured to have more than one page files, the page file that responds first is the one that is used. This customized configuration means that page files that are on faster disks are used more frequently. Also, whether you put a page file on a “fast” or “slow” disk is important only if the page file is frequently accessed and if the disk that is hosting the respective page file is overwhelmed. Actual page file usage depends greatly on the amount of modified memory that the system is managing. This dependency means that files that already exist on disk (such as .txt, .doc, .dll, and .exe) aren't written to a page file. Only modified data that doesn't already exist on disk (for example, unsaved text in Notepad) is memory that could potentially be backed by a page file. After the unsaved data is saved to disk as a file, it's backed by the disk and not by a page file.

26
windows/client-management/mdm/device-update-management.md → windows/client-management/device-update-management.md
View File

@ -5,14 +5,14 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 11/15/2017
ms.collection: highpri
---
# Mobile device management (MDM) for device updates
# Mobile device management (MDM) for device updates
>[!TIP]
>If you're not a developer or administrator, you'll find more helpful information in the [Windows Update: Frequently Asked Questions](https://support.microsoft.com/help/12373/windows-update-faq).
@ -36,7 +36,7 @@ In Windows 10, the MDM protocol has been extended to better enable IT admins to
The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID. The Update ID is a GUID that identifies a particular update. The MDM will want to show IT-friendly information about the update, instead of a raw GUID, including the updates title, description, KB, update type, like a security update or service pack. For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c).
For more information about the CSPs, see [Update CSP](update-csp.md) and the update policy area of the [Policy CSP](policy-configuration-service-provider.md).
For more information about the CSPs, see [Update CSP](mdm/update-csp.md) and the update policy area of the [Policy CSP](mdm/policy-configuration-service-provider.md).
The following diagram provides a conceptual overview of how this works:
@ -130,11 +130,11 @@ The following list describes a suggested model for applying updates.
2. In the Test group, just let all updates flow.
3. In the All Group, set up Quality Update deferral for seven days. Then, Quality Updates will be auto approved after the seven days. Definition Updates are excluded from Quality Update deferrals, and will be auto approved when they're available. This schedule can be done by setting Update/DeferQualityUpdatesPeriodInDays to seven, and just letting updates flow after seven days or pushing Pause if any issues.
Updates are configured using a combination of the [Update CSP](update-csp.md), and the update portion of the [Policy CSP](policy-configuration-service-provider.md).
Updates are configured using a combination of the [Update CSP](mdm/update-csp.md), and the update portion of the [Policy CSP](mdm/policy-configuration-service-provider.md).
### Update policies
The enterprise IT can configure auto-update policies via OMA DM using the [Policy CSP](policy-configuration-service-provider.md) (this functionality isn't supported in Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP.
The enterprise IT can configure auto-update policies via OMA DM using the [Policy CSP](mdm/policy-configuration-service-provider.md) (this functionality isn't supported in Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP.
The following information shows the Update policies in a tree format.
@ -179,7 +179,7 @@ Policy
<a href="" id="update-activehoursend"></a>**Update/ActiveHoursEnd**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1607. When used with **Update/ActiveHoursStart**, it allows the IT admin to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. There's a 12-hour maximum from start time.
@ -193,7 +193,7 @@ The default is 17 (5 PM).
<a href="" id="update-activehoursmaxrange"></a>**Update/ActiveHoursMaxRange**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
@ -235,7 +235,7 @@ The following list shows the supported values:
> [!IMPORTANT]
> This option should be used only for systems under regulatory compliance, as you will not get security updates as well.
If the policy isn't configured, end users get the default behavior (Auto install and restart).
@ -312,7 +312,7 @@ The following list shows the supported values:
<a href="" id="update-branchreadinesslevel"></a>**Update/BranchReadinessLevel**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
@ -680,7 +680,7 @@ Value type is string and the default value is an empty string. If the setting is
### Update management
The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following information shows the Update CSP in tree format.
The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](mdm/update-csp.md). The following information shows the Update CSP in tree format.
```console
./Vendor/MSFT
@ -731,7 +731,7 @@ The update approval list enables IT to approve individual updates and update cla
> [!NOTE]
> For the Windows 10 build, the client may need to reboot after additional updates are added.
Supported operations are Get and Add.
@ -835,7 +835,7 @@ Supported operation is Get.
## <a href="" id="windows10version1607forupdatemanagement"></a> Windows 10, version 1607 for update management
Here are the new policies added in Windows 10, version 1607 in [Policy CSP](policy-configuration-service-provider.md). Use these policies for the Windows 10, version 1607 devices.
Here are the new policies added in Windows 10, version 1607 in [Policy CSP](mdm/policy-configuration-service-provider.md). Use these policies for the Windows 10, version 1607 devices.
- Update/ActiveHoursEnd
- Update/ActiveHoursStart

16
windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md → windows/client-management/diagnose-mdm-failures-in-windows-10.md
View File

@ -5,8 +5,8 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 06/25/2018
ms.collection: highpri
@ -19,10 +19,10 @@ To help diagnose enrollment or device management issues in Windows 10 devices ma
## Download the MDM Diagnostic Information log from Windows 10 PCs
1. On your managed device, go to **Settings** > **Accounts** > **Access work or school**.
1. Click your work or school account, then click **Info.**
1. Click your work or school account, then click **Info.**
![Access work or school page in Settings.](images/diagnose-mdm-failures15.png)
1. At the bottom of the **Settings** page, click **Create report**.
1. At the bottom of the **Settings** page, click **Create report**.
![Access work or school page and then Create report.](images/diagnose-mdm-failures16.png)
1. A window opens that shows the path to the log files. Click **Export**.
@ -89,7 +89,7 @@ You can open the log files (.evtx files) in the Event Viewer on a Windows 10 PC
## Collect logs remotely from Windows 10 PCs
When the PC is already enrolled in MDM, you can remotely collect logs from the PC through the MDM channel if your MDM server supports this facility. The [DiagnosticLog CSP](diagnosticlog-csp.md) can be used to enable an event viewer channel by full name. Here are the Event Viewer names for the Admin and Debug channels:
When the PC is already enrolled in MDM, you can remotely collect logs from the PC through the MDM channel if your MDM server supports this facility. The [DiagnosticLog CSP](mdm/diagnosticlog-csp.md) can be used to enable an event viewer channel by full name. Here are the Event Viewer names for the Admin and Debug channels:
- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FAdmin
- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FDebug
@ -137,7 +137,7 @@ Example: Export the Debug logs
## Collect logs remotely from Windows 10 Holographic
For holographic already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](diagnosticlog-csp.md).
For holographic already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](mdm/diagnosticlog-csp.md).
You can use the DiagnosticLog CSP to enable the ETW provider. The provider ID is 3DA494E4-0FE2-415C-B895-FB5265C5C83B. The following examples show how to enable the ETW provider:
@ -231,7 +231,7 @@ Stop collector trace logging
</SyncML>
```
After the logs are collected on the device, you can retrieve the files through the MDM channel using the FileDownload portion of the DiagnosticLog CSP. For details, see [DiagnosticLog CSP](diagnosticlog-csp.md).
After the logs are collected on the device, you can retrieve the files through the MDM channel using the FileDownload portion of the DiagnosticLog CSP. For details, see [DiagnosticLog CSP](mdm/diagnosticlog-csp.md).
## View logs
@ -263,7 +263,7 @@ For best results, ensure that the PC or VM on which you're viewing logs matches
## Collect device state data
Here's an example of how to collect current MDM device state data using the [DiagnosticLog CSP](diagnosticlog-csp.md), version 1.3, which was added in Windows 10, version 1607. You can collect the file from the device using the same FileDownload node in the CSP as you do for the etl files.
Here's an example of how to collect current MDM device state data using the [DiagnosticLog CSP](mdm/diagnosticlog-csp.md), version 1.3, which was added in Windows 10, version 1607. You can collect the file from the device using the same FileDownload node in the CSP as you do for the etl files.
```xml
<?xml version="1.0"?>

4
windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md → windows/client-management/disconnecting-from-mdm-unenrollment.md
View File

@ -8,8 +8,8 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 06/26/2017
---

72
windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md → windows/client-management/enable-admx-backed-policies-in-mdm.md
View File

@ -3,8 +3,8 @@ title: Enable ADMX policies in MDM
description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM).
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 11/01/2017
@ -17,10 +17,10 @@ manager: aaroncz
Here's how to configure Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM).
Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX policies)](./policies-in-policy-csp-admx-backed.md) for Windows PCs via the [Policy configuration service provider (CSP)](policy-configuration-service-provider.md). Configuring ADMX policies in Policy CSP is different from the typical way you configure a traditional MDM policy.
Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX policies)](mdm/policies-in-policy-csp-admx-backed.md) for Windows PCs via the [Policy configuration service provider (CSP)](mdm/policy-configuration-service-provider.md). Configuring ADMX policies in Policy CSP is different from the typical way you configure a traditional MDM policy.
Summary of steps to enable a policy:
- Find the policy from the list ADMX policies.
- Find the policy from the list ADMX policies.
- Find the Group Policy related information from the MDM policy description.
- Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy.
- Create the data payload for the SyncML.
@ -33,9 +33,9 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
## Enable a policy
> [!NOTE]
> See [Understanding ADMX policies in Policy CSP](./understanding-admx-backed-policies.md).
> See [Understanding ADMX policies in Policy CSP](understanding-admx-backed-policies.md).
1. Find the policy from the list [ADMX policies](./policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description.
1. Find the policy from the list [ADMX policies](mdm/policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description.
- GP Friendly name
- GP name
- GP ADMX file name
@ -43,25 +43,25 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
2. Use the Group Policy Editor to determine whether you need additional information to enable the policy. Run GPEdit.msc
1. Click **Start**, then in the text box type **gpedit**.
1. Click **Start**, then in the text box type **gpedit**.
2. Under **Best match**, click **Edit group policy** to launch it.
2. Under **Best match**, click **Edit group policy** to launch it.
![GPEdit search.](images/admx-gpedit-search.png)
3. In **Local Computer Policy** navigate to the policy you want to configure.
3. In **Local Computer Policy** navigate to the policy you want to configure.
In this example, navigate to **Administrative Templates > System > App-V**.
![App-V policies.](images/admx-appv.png)
4. Double-click **Enable App-V Client**.
4. Double-click **Enable App-V Client**.
The **Options** section is empty, which means there are no parameters necessary to enable the policy. If the **Options** section isn't empty, follow the procedure in [Enable a policy that requires parameters](#enable-a-policy-that-requires-parameters)
![Enable App-V client.](images/admx-appv-enableapp-vclient.png)
3. Create the SyncML to enable the policy that doesn't require any parameter.
3. Create the SyncML to enable the policy that doesn't require any parameter.
In this example, you configure **Enable App-V Client** to **Enabled**.
@ -90,7 +90,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
```
## Enable a policy that requires parameters
## Enable a policy that requires parameters
1. Create the SyncML to enable the policy that requires parameters.
@ -105,7 +105,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
2. Find the variable names of the parameters in the ADMX file.
You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](policy-configuration-service-provider.md#appvirtualization-publishingallowserver2).
You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](mdm/policy-configuration-service-provider.md#appvirtualization-publishingallowserver2).
![Publishing server 2 policy description.](images/admx-appv-policy-description.png)
@ -115,13 +115,13 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
5. Under **policy name="Publishing_Server2_Policy"** you can see the \<elements> listed. The *text id* and *enum id* represent the *data id* you need to include in the SyncML data payload. They correspond to the fields you see in the Group Policy Editor.
Here's the snippet from appv.admx:
```xml
<!-- Publishing Server 2 -->
<policy name="Publishing_Server2_Policy" class="Machine" displayName="$(string.PublishingServer2)"
explainText="$(string.Publishing_Server_Help)" presentation="$(presentation.Publishing_Server2)"
<policy name="Publishing_Server2_Policy" class="Machine" displayName="$(string.PublishingServer2)"
explainText="$(string.Publishing_Server_Help)" presentation="$(presentation.Publishing_Server2)"
key="SOFTWARE\Policies\Microsoft\AppV\Client\Publishing\Servers\2">
<parentCategory ref="CAT_Publishing" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
@ -139,7 +139,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
<decimal value="1"/>
</value>
</item>
</enum>
</enum>
<enum id="Global_Refresh_OnLogon_Options" valueName="GlobalLogonRefresh">
<item displayName="$(string.False)">
<value>
@ -151,7 +151,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
<decimal value="1"/>
</value>
</item>
</enum>
</enum>
<decimal id="Global_Refresh_Interval_Prompt" valueName="GlobalPeriodicRefreshInterval" minValue="0" maxValue="31"/>
<enum id="Global_Refresh_Unit_Options" valueName="GlobalPeriodicRefreshIntervalUnit">
<item displayName="$(string.Hour)">
@ -164,7 +164,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
<decimal value="1"/>
</value>
</item>
</enum>
</enum>
<enum id="User_Publishing_Refresh_Options" valueName="UserEnabled">
<item displayName="$(string.False)">
<value>
@ -188,7 +188,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
<decimal value="1"/>
</value>
</item>
</enum>
</enum>
<decimal id="User_Refresh_Interval_Prompt" valueName="UserPeriodicRefreshInterval" minValue="0" maxValue="31"/>
<enum id="User_Refresh_Unit_Options" valueName="UserPeriodicRefreshIntervalUnit">
<item displayName="$(string.Hour)">
@ -201,7 +201,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
<decimal value="1"/>
</value>
</item>
</enum>
</enum>
</elements>
</policy>
```
@ -209,7 +209,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
6. From the **\<elements>** tag, copy all of the *text id* and *enum id* and create an XML with *data id* and *value* fields. The *value* field contains the configuration settings that you would enter in the Group Policy Editor.
Here's the example XML for Publishing_Server2_Policy:
```xml
<data id="Publishing_Server2_Name_Prompt" value="Name"/>
<data id="Publishing_Server_URL_Prompt" value="http://someuri"/>
@ -221,12 +221,12 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
<data id="User_Refresh_OnLogon_Options" value="0"/>
<data id="User_Refresh_Interval_Prompt" value="15"/>
<data id="User_Refresh_Unit_Options" value="1"/>
```
```
7. Create the SyncML to enable the policy. Payload contains \<enabled/> and name/value pairs.
7. Create the SyncML to enable the policy. Payload contains \<enabled/> and name/value pairs.
Here's the example for **AppVirtualization/PublishingAllowServer2**:
> [!NOTE]
> The \<Data> payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type.
@ -245,15 +245,15 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
</Target>
<Data>
<![CDATA[<enabled/><data id="Publishing_Server2_Name_Prompt" value="name prompt"/><data
id="Publishing_Server_URL_Prompt" value="URL prompt"/><data
id="Global_Publishing_Refresh_Options" value="1"/><data
id="Global_Refresh_OnLogon_Options" value="0"/><data
id="Global_Refresh_Interval_Prompt" value="15"/><data
id="Global_Refresh_Unit_Options" value="0"/><data
id="User_Publishing_Refresh_Options" value="0"/><data
id="User_Refresh_OnLogon_Options" value="0"/><data
id="User_Refresh_Interval_Prompt" value="15"/><data
<![CDATA[<enabled/><data id="Publishing_Server2_Name_Prompt" value="name prompt"/><data
id="Publishing_Server_URL_Prompt" value="URL prompt"/><data
id="Global_Publishing_Refresh_Options" value="1"/><data
id="Global_Refresh_OnLogon_Options" value="0"/><data
id="Global_Refresh_Interval_Prompt" value="15"/><data
id="Global_Refresh_Unit_Options" value="0"/><data
id="User_Publishing_Refresh_Options" value="0"/><data
id="User_Refresh_OnLogon_Options" value="0"/><data
id="User_Refresh_Interval_Prompt" value="15"/><data
id="User_Refresh_Unit_Options" value="1"/>]]>
</Data>
</Item>

10
windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md → windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -3,8 +3,8 @@ title: Enroll a Windows 10 device automatically using Group Policy
description: Learn how to use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices.
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 04/30/2022
ms.reviewer:
@ -194,7 +194,7 @@ Requirements:
- 21H1 --> [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124)
- 21H2 --> [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)](https://www.microsoft.com/download/103667)
- 21H2 --> [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042)
2. Install the package on the Domain Controller.
@ -215,7 +215,7 @@ Requirements:
- 21H1 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2021 Update (21H1)**
- 21H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2021 Update (21H2)**
- 21H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2021 Update V2 (21H2)**
4. Rename the extracted Policy Definitions folder to `PolicyDefinitions`.
@ -305,7 +305,7 @@ To collect Event Viewer logs:
### Useful Links
- [Windows 10 Administrative Templates for Windows 10 November 2021 Update 21H2](https://www.microsoft.com/download/103667)
- [Windows 10 Administrative Templates for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042)
- [Windows 10 Administrative Templates for Windows 10 May 2021 Update 21H1](https://www.microsoft.com/download/details.aspx?id=103124)
- [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591)
- [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495)

80
windows/client-management/mdm/enterprise-app-management.md → windows/client-management/enterprise-app-management.md
View File

@ -5,8 +5,8 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 10/04/2021
---
@ -30,7 +30,7 @@ Windows 10 offers the ability for management servers to:
## Inventory your apps
Windows 10 lets you inventory all apps deployed to a user, and inventory all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and doesn't include traditional Win32 apps installed via MSI or executables. When the apps are inventoried, they're separated based on the following app classifications:
Windows 10 lets you inventory all apps deployed to a user, and inventory all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](mdm/enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and doesn't include traditional Win32 apps installed via MSI or executables. When the apps are inventoried, they're separated based on the following app classifications:
- Store - Apps that are from the Microsoft Store. Apps can be directly installed from the Store or delivered with the enterprise from the Store for Business
- nonStore - Apps that weren't acquired from the Microsoft Store.
@ -41,7 +41,7 @@ These classifications are represented as nodes in the EnterpriseModernAppManagem
The following information shows the EnterpriseModernAppManagement CSP in a tree format:
```console
./Device/Vendor/MSFT
./Device/Vendor/MSFT
or
./User/Vendor/MSFT
EnterpriseAppManagement
@ -164,7 +164,7 @@ Here are the nodes for each package full name:
- Users
- IsProvisioned
For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md).
For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md).
### App inventory
@ -210,7 +210,7 @@ Here are the nodes for each license ID:
- LicenseUsage
- RequestedID
For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md).
For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md).
> [!NOTE]
> The LicenseID in the CSP is the content ID for the license.
@ -253,7 +253,7 @@ To deploy apps that aren't from the Microsoft Store, you must configure the Appl
The AllowAllTrustedApps policy enables the installation apps that are trusted by a certificate in the Trusted People on the device, or a root certificate in the Trusted Root of the device. The policy isn't configured by default, which means only apps from the Microsoft Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device.
For more information about the AllowAllTrustedApps policy, see [Policy CSP](policy-configuration-service-provider.md).
For more information about the AllowAllTrustedApps policy, see [Policy CSP](mdm/policy-configuration-service-provider.md).
Here are some examples.
@ -271,14 +271,14 @@ Here are some examples.
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/ApplicationManagement/AllowAllTrustedApps</LocURI>
</Target>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Data>1</Data>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Data>1</Data>
</Item>
</Replace>
```
@ -291,7 +291,7 @@ AllowDeveloperUnlock policy enables the development mode on the device. The Allo
Deployment of apps to Windows 10 for desktop editions requires that there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device.
For more information about the AllowDeveloperUnlock policy, see [Policy CSP](policy-configuration-service-provider.md).
For more information about the AllowDeveloperUnlock policy, see [Policy CSP](mdm/policy-configuration-service-provider.md).
Here's an example.
@ -309,21 +309,21 @@ Here's an example.
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/ApplicationManagement/AllowDeveloperUnlock</LocURI>
</Target>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Data>1</Data>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Data>1</Data>
</Item>
</Replace>
```
## Install your apps
You can install apps to a specific user or to all users of a device. Apps are installed directly from the Microsoft Store. Or, they're installed from a host location, such as a local disk, UNC path, or HTTPS location. Use the AppInstallation node of the [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) to install apps.
You can install apps to a specific user or to all users of a device. Apps are installed directly from the Microsoft Store. Or, they're installed from a host location, such as a local disk, UNC path, or HTTPS location. Use the AppInstallation node of the [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md) to install apps.
### Deploy apps to user from the Store
@ -381,7 +381,7 @@ Here's an example of an offline license installation.
<Exec>
<CmdID>1</CmdID>
<Item>
<Target>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}/AddLicense</LocURI>
</Target>
<Meta>
@ -420,7 +420,7 @@ Here's an example of a line-of-business app installation.
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}</LocURI>
</Target>
</Item>
</Add>
</Add>
<!-- Install appx -->
<Exec>
<CmdID>1</CmdID>
@ -447,7 +447,7 @@ Here's an example of an app installation with dependencies.
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName</LocURI>
</Target>
</Item>
</Add>
</Add>
<!-- Install appx with deployment options and framework dependencies-->
<Exec>
<CmdID>1</CmdID>
@ -481,7 +481,7 @@ Here's an example of an app installation with dependencies and optional packages
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName</LocURI>
</Target>
</Item>
</Add>
</Add>
<!-- Install appx with deployment options and framework dependencies-->
<Exec>
<CmdID>1</CmdID>
@ -499,9 +499,9 @@ Here's an example of an app installation with dependencies and optional packages
<Dependency PackageUri=\\server2\share\HelloMarsFramework.appx” />
</Dependencies>
<OptionalPackages>
<Package PackageUri=\\server\share\OptionalPackage1.appx”
<Package PackageUri=\\server\share\OptionalPackage1.appx”
PackageFamilyName="/{PackageFamilyName}" />
<Package PackageUri=\\server2\share\OptionalPackage2.appx”
<Package PackageUri=\\server2\share\OptionalPackage2.appx”
PackageFamilyName="/{PackageFamilyName}" />
</OptionalPackages>
</Application>
@ -542,7 +542,7 @@ Here's an example of app installation.
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName</LocURI>
</Target>
</Item>
</Add>
</Add>
<!-- Provision appx to device -->
<Exec>
<CmdID>1</CmdID>
@ -579,7 +579,7 @@ Here's an example of app installation with dependencies.
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName</LocURI>
</Target>
</Item>
</Add>
</Add>
<!-- Provision appx with framework dependencies-->
<Exec>
<CmdID>1</CmdID>
@ -626,7 +626,7 @@ Here's an example of a query for a specific app installation.
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}?list=StructData</LocURI>
</Target>
</Item>
@ -640,7 +640,7 @@ Here's an example of a query for all app installations.
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation?list=StructData</LocURI>
</Target>
</Item>
@ -659,7 +659,7 @@ Here's an example of an alert.
<Data>1226</Data>
<Item>
<Source>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall</LocURI>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall</LocURI>
</Source>
<Meta>
<Type xmlns="syncml:metinf">Reversed-Domain-Name:com.microsoft.mdm.EnterpriseHostedAppInstall.result</Type>
@ -723,7 +723,7 @@ You can remove provisioned apps from a device for a specific version, or for all
> [!NOTE]
> You can only remove an app that has an inventory value IsProvisioned = 1.
Removing provisioned app occurs in the device context.
Here's an example for removing a provisioned app from a device.
@ -889,7 +889,7 @@ The Universal Windows app can share application data between the users of the de
> [!NOTE]
> This is only applicable to multi-user devices.
The AllowSharedUserAppData policy in [Policy CSP](policy-configuration-service-provider.md) enables or disables app packages to share data between app packages when there are multiple users. If you enable this policy, applications can share data between packages in their package family. Data can be shared through ShareLocal folder for that package family and local machine. This folder is available through the Windows.Storage API.
The AllowSharedUserAppData policy in [Policy CSP](mdm/policy-configuration-service-provider.md) enables or disables app packages to share data between app packages when there are multiple users. If you enable this policy, applications can share data between packages in their package family. Data can be shared through ShareLocal folder for that package family and local machine. This folder is available through the Windows.Storage API.
If you disable this policy, applications can't share user application data among multiple users. However, pre-written shared data will persist. The clean pre-written shared data, use DISM ((/Get-ProvisionedAppxPackage to detect if there's any shared data, and /Remove-SharedAppxData to remove it).
@ -911,14 +911,14 @@ Here's an example.
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/ApplicationManagement/AllowSharedUserAppData</LocURI>
</Target>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Data>1</Data>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Data>1</Data>
</Item>
</Replace>
```

3
windows/client-management/mdm/esim-enterprise-management.md → windows/client-management/esim-enterprise-management.md
View File

@ -1,11 +1,12 @@
---
title: eSIM Enterprise Management
description: Learn how Mobile Device Management (MDM) Providers support the eSIM Profile Management Solution on Windows.
ms.prod: w10
ms.prod: windows-client
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.author: vinpa
ms.topic: conceptual
ms.technology: itpro-manage
---
# How Mobile Device Management Providers support eSIM Management on Windows

4
windows/client-management/mdm/federated-authentication-device-enrollment.md → windows/client-management/federated-authentication-device-enrollment.md
View File

@ -5,8 +5,8 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 07/28/2017
---

116
windows/client-management/generate-kernel-or-complete-crash-dump.md
View File

@ -1,116 +0,0 @@
---
title: Generate a kernel or complete crash dump
description: Learn how to generate a kernel or complete crash dump, and then use the output to troubleshoot several issues.
ms.prod: w10
ms.topic: troubleshooting
author: Deland-Han
ms.localizationpriority: medium
ms.author: delhan
ms.date: 8/28/2019
ms.reviewer:
manager: willchen
ms.collection: highpri
---
# Generate a kernel or complete crash dump
A system crash (also known as a “bug check” or a "Stop error") occurs when Windows can't run correctly. The dump file that is produced from this event is called a system crash dump.
A manual kernel or complete memory dump file is useful when you troubleshoot several issues because the process captures a record of system memory at the time of a crash.
## Set up page files
See [Support for system crash dumps](determine-appropriate-page-file-size.md#support-for-system-crash-dumps) for the page file size requirement for system crash dump.
## Enable memory dump setting
You must be logged on as an administrator or a member of the Administrators group to complete this procedure. If your computer is connected to a network, network policy settings may prevent you from completing this procedure.
To enable memory dump setting, follow these steps:
1. In **Control Panel**, select **System and Security** > **System**.
2. Select **Advanced system settings**, and then select the **Advanced** tab.
3. In the **Startup and Recovery** area, select **Settings**.
4. Make sure that **Kernel memory dump** or **Complete memory dump** is selected under **Writing Debugging Information**.
5. Restart the computer.
>[!Note]
>You can change the dump file path by edit the **Dump file** field. In other words, you can change the path from %SystemRoot%\Memory.dmp to point to a local drive that has enough disk space, such as E:\Memory.dmp.
### Tips to generate memory dumps
When the computer crashes and restarts, the contents of physical RAM are written to the paging file that is located on the partition on which the operating system is installed.
Depending on the speed of the hard disk on which Windows is installed, dumping more than 2 gigabytes (GB) of memory may take a long time. Even in a best-case scenario, if the dump file is configured to reside on another local hard drive, a significant amount of data will be read and written to the hard disks. This read-and-write process can cause a prolonged server outage.
>[!Note]
>Use this method to generate complete memory dump files with caution. Ideally, you should do this only when you are explicitly requested to by the Microsoft Support engineer. Any kernel or complete memory dump file debugging should be the last resort after all standard troubleshooting methods have been completely exhausted.
## Manually generate a memory dump file
### Use the NotMyFault tool
If you can sign in while the problem is occurring, you can use the Microsoft Sysinternals NotMyFault tool by following these steps:
1. Download the [NotMyFault](https://download.sysinternals.com/files/NotMyFault.zip) tool.
2. Select **Start**, and then select **Command Prompt**.
3. At the command line, run the following command:
```console
notMyfault.exe /crash
```
>[!Note]
>This operation generates a memory dump file and a D1 Stop error.
### Use NMI
On some computers, you can't use keyboard to generate a crash dump file. For example, Hewlett-Packard (HP) BladeSystem servers from the Hewlett-Packard Development Company are managed through a browser-based graphical user interface (GUI). A keyboard isn't attached to the HP BladeSystem server.
In these cases, you must generate a complete crash dump file or a kernel crash dump file by using the Non-Maskable Interrupt (NMI) switch that causes an NMI on the system processor.
To implement this process, follow these steps:
> [!IMPORTANT]
> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.
> [!NOTE]
> This registry key isn't required for clients running Windows 8 and later, or servers running Windows Server 2012 and later. Setting this registry key on later versions of Windows has no effect.
1. In Registry Editor, locate the following registry subkey:
**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl**
2. Right-click **CrashControl**, point to **New**, and then click **DWORD Value**.
3. Type NMICrashDump, and then press Enter.
4. Right-click **NMICrashDump**, and then select **Modify**.
5. In the **Value data** box, type **1**, and then select **OK**.
6. Restart the computer.
7. Hardware vendors, such as HP, IBM, and Dell, may provide an Automatic System Recovery (ASR) feature. You should disable this feature during troubleshooting. For example, if the HP and Compaq ASR feature is enabled in the BIOS, disable this feature while you troubleshoot to generate a complete Memory.dmp file. For the exact steps, contact your hardware vendor.
8. Enable the NMI switch in the BIOS or by using the Integrated Lights Out (iLO) Web interface.
>[!Note]
>For the exact steps, see the BIOS reference manual or contact your hardware vendor.
9. Test this method on the server by using the NMI switch to generate a dump file. You'll see a STOP 0x00000080 hardware malfunction.
If you want to run NMI in Microsoft Azure using Serial Console, see [Use Serial Console for SysRq and NMI calls](/troubleshoot/azure/virtual-machines/serial-console-nmi-sysrq).
### Use the keyboard
[Forcing a System Crash from the Keyboard](/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard)
### Use Debugger
[Forcing a System Crash from the Debugger](/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-debugger)

4
windows/client-management/mdm/get-inventory.md → windows/client-management/get-inventory.md
View File

@ -8,8 +8,8 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/18/2017
---

4
windows/client-management/mdm/get-localized-product-details.md → windows/client-management/get-localized-product-details.md
View File

@ -5,8 +5,8 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 12/07/2020
---

4
windows/client-management/mdm/get-offline-license.md → windows/client-management/get-offline-license.md
View File

@ -5,8 +5,8 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/18/2017
---

4
windows/client-management/mdm/get-product-details.md → windows/client-management/get-product-details.md
View File

@ -5,8 +5,8 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/18/2017
---

4
windows/client-management/mdm/get-product-package.md → windows/client-management/get-product-package.md
View File

@ -5,8 +5,8 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/18/2017
---

4
windows/client-management/mdm/get-product-packages.md → windows/client-management/get-product-packages.md
View File

@ -5,8 +5,8 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/18/2017
---

4
windows/client-management/mdm/get-seat.md → windows/client-management/get-seat.md
View File

@ -5,8 +5,8 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/18/2017
---

4
windows/client-management/mdm/get-seats-assigned-to-a-user.md → windows/client-management/get-seats-assigned-to-a-user.md
View File

@ -5,8 +5,8 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/18/2017
---

4
windows/client-management/mdm/get-seats.md → windows/client-management/get-seats.md
View File

@ -5,8 +5,8 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/18/2017
---

3
windows/client-management/group-policies-for-enterprise-and-education-editions.md
View File

@ -1,7 +1,7 @@
---
title: Group Policy settings that apply only to Windows 10 Enterprise and Education Editions (Windows 10)
description: Use this topic to learn about Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education.
ms.prod: w10
ms.prod: windows-client
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/14/2021
@ -9,6 +9,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: troubleshooting
ms.technology: itpro-manage
---
# Group Policy settings that apply only to Windows 10 Enterprise and Education Editions

BIN
windows/client-management/images/aadj1.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 46 KiB

BIN
windows/client-management/images/aadj2.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 47 KiB

BIN
windows/client-management/images/aadj3.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 44 KiB

BIN
windows/client-management/images/aadj4.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 23 KiB

BIN
windows/client-management/images/aadjbrowser.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 66 KiB

BIN
windows/client-management/images/aadjcal.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 71 KiB

BIN
windows/client-management/images/aadjcalmail.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 23 KiB

BIN
windows/client-management/images/aadjmail1.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 55 KiB

BIN
windows/client-management/images/aadjmail2.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 38 KiB

BIN
windows/client-management/images/aadjmail3.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 50 KiB

BIN
windows/client-management/images/aadjonedrive.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 82 KiB

BIN
windows/client-management/images/aadjonenote.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 54 KiB

BIN
windows/client-management/images/aadjonenote2.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 43 KiB

BIN
windows/client-management/images/aadjonenote3.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 34 KiB

BIN
windows/client-management/images/aadjpin.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 44 KiB

BIN
windows/client-management/images/aadjppt.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/client-management/images/aadjverify.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 69 KiB

BIN
windows/client-management/images/aadjword.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 61 KiB

BIN
windows/client-management/images/aadjwsfb.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 43 KiB

0
windows/client-management/mdm/images/admx-app-v-enablepublishingserver2settings.png → windows/client-management/images/admx-app-v-enablepublishingserver2settings.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 45 KiB

After

Width:  |  Height:  |  Size: 45 KiB

0
windows/client-management/mdm/images/admx-appv-enableapp-vclient.png → windows/client-management/images/admx-appv-enableapp-vclient.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 24 KiB

After

Width:  |  Height:  |  Size: 24 KiB

0
windows/client-management/mdm/images/admx-appv-policy-description.png → windows/client-management/images/admx-appv-policy-description.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 85 KiB

After

Width:  |  Height:  |  Size: 85 KiB

0
windows/client-management/mdm/images/admx-appv-publishingserver2.png → windows/client-management/images/admx-appv-publishingserver2.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 62 KiB

After

Width:  |  Height:  |  Size: 62 KiB

0
windows/client-management/mdm/images/admx-appv.png → windows/client-management/images/admx-appv.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 50 KiB

After

Width:  |  Height:  |  Size: 50 KiB

0
windows/client-management/mdm/images/admx-gpedit-search.png → windows/client-management/images/admx-gpedit-search.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 30 KiB

After

Width:  |  Height:  |  Size: 30 KiB

0
windows/client-management/mdm/images/auto-enrollment-activation-verification-less-entries.png → windows/client-management/images/auto-enrollment-activation-verification-less-entries.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 34 KiB

After

Width:  |  Height:  |  Size: 34 KiB

0
windows/client-management/mdm/images/auto-enrollment-activation-verification.png → windows/client-management/images/auto-enrollment-activation-verification.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 30 KiB

After

Width:  |  Height:  |  Size: 30 KiB

0
windows/client-management/mdm/images/auto-enrollment-azureadprt-verification.png → windows/client-management/images/auto-enrollment-azureadprt-verification.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 18 KiB

0
windows/client-management/mdm/images/auto-enrollment-device-status-result.png → windows/client-management/images/auto-enrollment-device-status-result.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 25 KiB

After

Width:  |  Height:  |  Size: 25 KiB

0
windows/client-management/mdm/images/auto-enrollment-enrollment-of-windows-devices.png → windows/client-management/images/auto-enrollment-enrollment-of-windows-devices.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 44 KiB

After

Width:  |  Height:  |  Size: 44 KiB

0
windows/client-management/mdm/images/auto-enrollment-event-id-102.png → windows/client-management/images/auto-enrollment-event-id-102.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 31 KiB

After

Width:  |  Height:  |  Size: 31 KiB

0
windows/client-management/mdm/images/auto-enrollment-event-id-107.png → windows/client-management/images/auto-enrollment-event-id-107.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 26 KiB

After

Width:  |  Height:  |  Size: 26 KiB

0
windows/client-management/mdm/images/auto-enrollment-intune-license-verification.png → windows/client-management/images/auto-enrollment-intune-license-verification.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 43 KiB

After

Width:  |  Height:  |  Size: 43 KiB

0
windows/client-management/mdm/images/auto-enrollment-mdm-discovery-url.png → windows/client-management/images/auto-enrollment-mdm-discovery-url.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 30 KiB

After

Width:  |  Height:  |  Size: 30 KiB

0
windows/client-management/mdm/images/auto-enrollment-microsoft-intune-setting.png → windows/client-management/images/auto-enrollment-microsoft-intune-setting.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 129 KiB

After

Width:  |  Height:  |  Size: 129 KiB

0
windows/client-management/mdm/images/auto-enrollment-outdated-enrollment-entries.png → windows/client-management/images/auto-enrollment-outdated-enrollment-entries.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 91 KiB

After

Width:  |  Height:  |  Size: 91 KiB

0
windows/client-management/mdm/images/auto-enrollment-task-scheduler.png → windows/client-management/images/auto-enrollment-task-scheduler.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 112 KiB

After

Width:  |  Height:  |  Size: 112 KiB

0
windows/client-management/mdm/images/auto-enrollment-troubleshooting-event-id-75.png → windows/client-management/images/auto-enrollment-troubleshooting-event-id-75.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 24 KiB

After

Width:  |  Height:  |  Size: 24 KiB

0
windows/client-management/mdm/images/auto-enrollment-troubleshooting-event-id-76.png → windows/client-management/images/auto-enrollment-troubleshooting-event-id-76.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 29 KiB

After

Width:  |  Height:  |  Size: 29 KiB

0
windows/client-management/mdm/images/autoenrollment-2-factor-auth.png → windows/client-management/images/autoenrollment-2-factor-auth.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 183 KiB

After

Width:  |  Height:  |  Size: 183 KiB

0
windows/client-management/mdm/images/autoenrollment-gpedit.png → windows/client-management/images/autoenrollment-gpedit.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 30 KiB

After

Width:  |  Height:  |  Size: 30 KiB

0
windows/client-management/mdm/images/autoenrollment-mdm-policies.png → windows/client-management/images/autoenrollment-mdm-policies.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 102 KiB

After

Width:  |  Height:  |  Size: 102 KiB

0
windows/client-management/mdm/images/autoenrollment-policy.png → windows/client-management/images/autoenrollment-policy.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 220 KiB

After

Width:  |  Height:  |  Size: 220 KiB

0
windows/client-management/mdm/images/autoenrollment-scheduled-task.png → windows/client-management/images/autoenrollment-scheduled-task.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 44 KiB

After

Width:  |  Height:  |  Size: 44 KiB

0
windows/client-management/mdm/images/autoenrollment-settings-work-school.png → windows/client-management/images/autoenrollment-settings-work-school.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 72 KiB

After

Width:  |  Height:  |  Size: 72 KiB

0
windows/client-management/mdm/images/autoenrollment-task-schedulerapp.png → windows/client-management/images/autoenrollment-task-schedulerapp.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 40 KiB

After

Width:  |  Height:  |  Size: 40 KiB

0
windows/client-management/mdm/images/azure-ad-add-tenant1.png → windows/client-management/images/azure-ad-add-tenant1.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 20 KiB

After

Width:  |  Height:  |  Size: 20 KiB

0
windows/client-management/mdm/images/azure-ad-add-tenant10.png → windows/client-management/images/azure-ad-add-tenant10.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 170 KiB

After

Width:  |  Height:  |  Size: 170 KiB

0
windows/client-management/mdm/images/azure-ad-add-tenant11.png → windows/client-management/images/azure-ad-add-tenant11.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 116 KiB

After

Width:  |  Height:  |  Size: 116 KiB

0
windows/client-management/mdm/images/azure-ad-add-tenant12.png → windows/client-management/images/azure-ad-add-tenant12.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 36 KiB

After

Width:  |  Height:  |  Size: 36 KiB

0
windows/client-management/mdm/images/azure-ad-add-tenant13.png → windows/client-management/images/azure-ad-add-tenant13.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 35 KiB

After

Width:  |  Height:  |  Size: 35 KiB

0
windows/client-management/mdm/images/azure-ad-add-tenant14.png → windows/client-management/images/azure-ad-add-tenant14.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 49 KiB

After

Width:  |  Height:  |  Size: 49 KiB

0
windows/client-management/mdm/images/azure-ad-add-tenant15.png → windows/client-management/images/azure-ad-add-tenant15.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 46 KiB

After

Width:  |  Height:  |  Size: 46 KiB

0
windows/client-management/mdm/images/azure-ad-add-tenant2.png → windows/client-management/images/azure-ad-add-tenant2.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 26 KiB

After

Width:  |  Height:  |  Size: 26 KiB

0
windows/client-management/mdm/images/azure-ad-add-tenant3-b.png → windows/client-management/images/azure-ad-add-tenant3-b.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 52 KiB

After

Width:  |  Height:  |  Size: 52 KiB

0
windows/client-management/mdm/images/azure-ad-add-tenant3.png → windows/client-management/images/azure-ad-add-tenant3.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 50 KiB

After

Width:  |  Height:  |  Size: 50 KiB

0
windows/client-management/mdm/images/azure-ad-add-tenant4.png → windows/client-management/images/azure-ad-add-tenant4.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 179 KiB

After

Width:  |  Height:  |  Size: 179 KiB

0
windows/client-management/mdm/images/azure-ad-add-tenant5.png → windows/client-management/images/azure-ad-add-tenant5.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 25 KiB

After

Width:  |  Height:  |  Size: 25 KiB

0
windows/client-management/mdm/images/azure-ad-add-tenant6.png → windows/client-management/images/azure-ad-add-tenant6.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 7.7 KiB

After

Width:  |  Height:  |  Size: 7.7 KiB

0
windows/client-management/mdm/images/azure-ad-add-tenant7.png → windows/client-management/images/azure-ad-add-tenant7.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 37 KiB

After

Width:  |  Height:  |  Size: 37 KiB

0
windows/client-management/mdm/images/azure-ad-add-tenant8.png → windows/client-management/images/azure-ad-add-tenant8.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 24 KiB

After

Width:  |  Height:  |  Size: 24 KiB

Some files were not shown because too many files have changed in this diff Show More