deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into v-tea-CI-111493

Browse Source
This commit is contained in:
Teresa-Motiv 2019-12-16 11:52:33 -08:00
commit 3de90fa3a9
17 changed files with 287 additions and 215 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
devices/hololens/hololens-find-and-save-files.md
View File

@ -42,6 +42,22 @@ To see your HoloLens files in File Explorer on your PC:
>[!TIP]
>To see info about your HoloLens, right-click the device name in File Explorer on your PC, then select **Properties**.
## View HoloLens files on Windows Device Portal
>[!NOTE]
>To use Device Portal you must enable [Developer Mode](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal#setting-up-hololens-to-use-windows-device-portal).
1. Enable Developer Mode and Device Portal on your HoloLens. (See note above if not enabled.)
1. Navigate to the Device Portal page on your PC.
1. To connect to a HoloLens connected to your PC type in 127.0.0.1:10080/ in your browser.
1. To connect to a HoloLens wirelessly instead navigate to your IP address.
>[!TIP]
>You may need to install a certificate, OR you may see more details and navigate to the website anyways. (Path per web broswer will differ.)
1. Once succesfully connected, on the left side of the windw you can navigate to the [File Explorer](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal#file-explorer) workspace.
## Sync to the cloud
To sync photos and other files from your HoloLens to the cloud, install and set up OneDrive on HoloLens. To get OneDrive, search for it in the Microsoft Store on your HoloLens.

2
devices/hololens/hololens-multiple-users.md
View File

@ -37,7 +37,7 @@ To use HoloLens, each user follows these steps:
1. If another user has been using the device, do one of the following:
- Press the power button once to go to standby, and then press the power button again to return to the lock screen
- Select the user tile on the upper right of the Pins panel to sign out the current user.
- HoloLens 2 users may select the user tile on the top of the Pins panel to sign out the current user.
1. Use your Azure AD account credentials to sign in to the device.
If this is the first time that you have used the device, you have to [calibrate](hololens-calibration.md) HoloLens to your own eyes.

6
devices/surface-hub/surface-hub-2s-manage-intune.md
View File

@ -69,6 +69,6 @@ You can set the Microsoft Teams app mode using Intune. Surface Hub 2S comes inst
To set modes, add the following settings to a custom Device Configuration Profile.
|**Name**|**Description**|**OMA-URI**|**Type**|**Value**|
|:------ |:------------- |:--------- |:------ |:------- |
|**Teams App ID**| App name | ./Vendor/MSFT/SurfaceHub/Properties/VtcAppPackageId | String | Microsoft.MicrosoftTeamsforSurfaceHub_8wekyb3d8bbwe!Teams­­ |
|**Teams App Mode**| Teams mode | ./Vendor/MSFT/SurfaceHub/Properties/SurfaceHubMeetingMode | Integer | 0 or 1 or 2 |
|:--- |:--- |:--- |:--- |:--- |
|**Teams App ID**|App name|./Vendor/MSFT/SurfaceHub/Properties/VtcAppPackageId|String| Microsoft.MicrosoftTeamsforSurfaceHub_8wekyb3d8bbwe!Teams|
|**Teams App Mode**|Teams mode|./Vendor/MSFT/SurfaceHub/Properties/SurfaceHubMeetingMode|Integer| 0 or 1 or 2|

244
windows/deployment/upgrade/resolution-procedures.md
View File

@ -20,36 +20,36 @@ ms.topic: article
**Applies to**
- Windows 10
>[!NOTE]
>This is a 200 level topic (moderate).<br>
>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
> [!NOTE]
> This is a 200 level topic (moderate).
> See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
## 0xC1900101
A frequently observed result code is 0xC1900101. This result code can be thrown at any stage of the upgrade process, with the exception of the downlevel phase. 0xC1900101 is a generic rollback code, and usually indicates that an incompatible driver is present. The incompatible driver can cause blue screens, system hangs, and unexpected reboots. Analysis of supplemental log files is often helpful, such as:<br>
A frequently observed result code is 0xC1900101. This result code can be thrown at any stage of the upgrade process, with the exception of the downlevel phase. 0xC1900101 is a generic rollback code, and usually indicates that an incompatible driver is present. The incompatible driver can cause blue screens, system hangs, and unexpected reboots. Analysis of supplemental log files is often helpful, such as:
- The minidump file: $Windows.~bt\Sources\Rollback\setupmem.dmp,
- Event logs: $Windows.~bt\Sources\Rollback\*.evtx
- The device install log: $Windows.~bt\Sources\Rollback\setupapi\setupapi.dev.log
The device install log is particularly helpful if rollback occurs during the sysprep operation (extend code 0x30018). To resolve a rollback due to driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/kb/929135) before initiating the upgrade process.
The device install log is particularly helpful if rollback occurs during the sysprep operation (extend code 0x30018).
<br>See the following general troubleshooting procedures associated with a result code of 0xC1900101:
To resolve a rollback that was caused by driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/kb/929135) before initiating the upgrade process.
See the following general troubleshooting procedures associated with a result code of 0xC1900101:<br /><br />
<table border="1" cellspacing="0" cellpadding="0">
<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x20004</B>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x20004
</table>
<br><table cellspacing="0" cellpadding="0">
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Windows Setup encountered an error during the SAFE_OS with the INSTALL_RECOVERY_ENVIRONMENT operation
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Windows Setup encountered an error during the SAFE_OS with the INSTALL_RECOVERY_ENVIRONMENT operation.
<br>This is generally caused by out-of-date drivers.
</table>
</td>
@ -69,11 +69,11 @@ The device install log is particularly helpful if rollback occurs during the sys
<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x2000c</B>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x2000c
</table>
<br><table cellspacing="0" cellpadding="0">
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Windows Setup encountered an unspecified error during Wim apply in the WinPE phase.
<br>This is generally caused by out-of-date drivers.
@ -91,16 +91,15 @@ The device install log is particularly helpful if rollback occurs during the sys
</td>
</tr>
<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x20017
</table>
<br><table cellspacing="0" cellpadding="0">
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>A driver has caused an illegal operation.
<br>Windows was not able to migrate the driver, resulting in a rollback of the operating system.
@ -113,9 +112,9 @@ The device install log is particularly helpful if rollback occurs during the sys
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
Ensure that all that drivers are updated.<br>
Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers.
<br>For more information, see <a href="https://technet.microsoft.com/library/ee851579.aspx" data-raw-source="[Understanding Failures and Log Files](https://technet.microsoft.com/library/ee851579.aspx)">Understanding Failures and Log Files</a>.
Ensure that all that drivers are updated.
<br />Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers.
<br />For more information, see <a href="https://support.microsoft.com/help/927521/windows-vista-windows-7-windows-server-2008-r2-windows-8-1-and-windows">Windows Vista, Windows 7, Windows Server 2008 R2, Windows 8.1, and Windows 10 setup log file locations</a>.
<br>Update or uninstall the problem drivers.
</table>
</td>
@ -124,11 +123,11 @@ Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory,
<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x30018</B>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x30018
</table>
<br><table cellspacing="0" cellpadding="0">
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>A device driver has stopped responding to setup.exe during the upgrade process.
</table>
@ -149,11 +148,11 @@ Disconnect all peripheral devices that are connected to the system, except for t
<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x3000D</B>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x3000D
</table>
<br><table cellspacing="0" cellpadding="0">
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Installation failed during the FIRST_BOOT phase while attempting the MIGRATE_DATA operation.
<br>This can occur due to a problem with a display driver.
@ -175,16 +174,15 @@ Disconnect all peripheral devices that are connected to the system, except for t
<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x4000D</B>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x4000D
</table>
<br><table cellspacing="0" cellpadding="0">
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>A rollback occurred due to a driver configuration issue.
<br>Installation failed during the second boot phase while attempting the MIGRATE_DATA operation.
<br>This can occur due to incompatible drivers.
<br>This can occur because of incompatible drivers.
</table>
</td>
@ -194,40 +192,39 @@ Disconnect all peripheral devices that are connected to the system, except for t
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
<br>Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors.
Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors.
<br>Review the rollback log and determine the stop code.
<br>The rollback log is located in the <strong>C:$Windows.~BT\Sources\Panther</strong> folder. An example analysis is shown below. This example is not representative of all cases:
<br>Info SP Crash 0x0000007E detected
<br>Info SP Module name :
<br>Info SP Bugcheck parameter 1 : 0xFFFFFFFFC0000005
<br>Info SP Bugcheck parameter 2 : 0xFFFFF8015BC0036A
<br>Info SP Bugcheck parameter 3 : 0xFFFFD000E5D23728
<br>Info SP Bugcheck parameter 4 : 0xFFFFD000E5D22F40
<br>Info SP Cannot recover the system.
<br>Info SP Rollback: Showing splash window with restoring text: Restoring your previous version of Windows.
<pre>
Info SP Crash 0x0000007E detected
Info SP Module name :
Info SP Bugcheck parameter 1 : 0xFFFFFFFFC0000005
Info SP Bugcheck parameter 2 : 0xFFFFF8015BC0036A
Info SP Bugcheck parameter 3 : 0xFFFFD000E5D23728
Info SP Bugcheck parameter 4 : 0xFFFFD000E5D22F40
Info SP Cannot recover the system.
Info SP Rollback: Showing splash window with restoring text: Restoring your previous version of Windows.</pre>
<br>Typically, there is a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:<br>
Typically, there is a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:<br>
1. Make sure you have enough disk space.<br>
2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.<br>
3. Try changing video adapters.<br>
4. Check with your hardware vendor for any BIOS updates.<br>
5. Disable BIOS memory options such as caching or shadowing.
</p>
</table>
</td>
</tr>
<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x40017</B>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x40017
</table>
<br><table cellspacing="0" cellpadding="0">
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Windows 10 upgrade failed after the second reboot.
<br>This is usually caused by a faulty driver. For example: antivirus filter drivers or encryption drivers.
@ -237,23 +234,61 @@ Disconnect all peripheral devices that are connected to the system, except for t
<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Clean boot into Windows, and then attempt the upgrade to Windows 10.<br>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
<b>Mitigation</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135).
Clean boot into Windows, and then attempt the upgrade to Windows 10. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135).
Ensure that you select the option to "Download and install updates (recommended)."
<b>Computers that run Citrix VDA</b>
You may see this message after you upgrade a computer from Windows 10, version 1511 to Windows 10, version 1607. After the second system restart, the system generates this error and then rolls back to the previous version. This problem has also been observed in upgrades to Windows 8.1 and Windows 8.
This problem occurs because the computer has Citrix Virtual Delivery Agent (VDA) installed. Citrix VDA installs device drivers and a file system filter driver (CtxMcsWbc). This Citrix filter driver prevents the upgrade from writing changes to the disk, so the upgrade cannot complete and the system rolls back.
**Resolution**
To resolve this problem, install [Cumulative update for Windows 10 Version 1607 and Windows Server 2016: November 8, 2016](https://support.microsoft.com/help/3200970/cumulative-update-for-windows-10-version-1607-and-windows-server-2016).
You can work around this problem in two ways
**Workaround 1**
1. Use the VDA setup application (VDAWorkstationSetup_7.11) to uninstall Citrix VDA.
1. Run the Windows upgrade again.
1. Reinstall Citrix VDA.
**Workaround 2**
If you cannot uninstall Citrix VDA, follow these steps to work around this problem:
1. In Registry Editor, go to the following subkey:
```
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\CtxMcsWbc
```
1. Change the value of the **Start** entry from **0** to **4**. This change disables the Citrix MCS cache service.
1. Go to the following subkey:
```
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}
```
1. Delete the **CtxMcsWbc** entry.
1. Restart the computer, and then try the upgrade again.
> **Third-party information disclaimer**
> The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
<br><br>Ensure you select the option to "Download and install updates (recommended)."
</table>
</td>
</tr>
</table>
<h2 id="0x800xxxxx">0x800xxxxx</h2>
## 0x800xxxxx
<br>Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
Result codes that start with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
<br>See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:<br>
See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
<br><table border="1" cellspacing="0" cellpadding="0">
@ -262,15 +297,13 @@ For more information, see [How to perform a clean boot in Windows](https://suppo
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
80040005 - 0x20007
</table>
<br><table cellspacing="0" cellpadding="0">
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
An unspecified error occurred with a driver during the SafeOS phase.
</table>
@ -293,17 +326,15 @@ This error has more than one possible cause. Attempt [quick fixes](quick-fixes.m
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
0x80073BC3 - 0x20009<br>
0x80070002 - 0x20009<br>
0x80073B92 - 0x20009
</table>
<br><table cellspacing="0" cellpadding="0">
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
The requested system device cannot be found, there is a sharing violation, or there are multiple devices matching the identification criteria.
</table>
@ -324,17 +355,15 @@ These errors occur during partition analysis and validation, and can be caused b
<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
800704B8 - 0x3001A
</table>
<br><table cellspacing="0" cellpadding="0">
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
An extended error has occurred during the first boot phase.
</table>
@ -355,17 +384,15 @@ Disable or uninstall non-Microsoft antivirus applications, disconnect all unnece
<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
8007042B - 0x4000D
</table>
<br><table cellspacing="0" cellpadding="0">
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
The installation failed during the second boot phase while attempting the MIGRATE_DATA operation.
<br>This issue can occur due to file system, application, or driver issues.
@ -387,17 +414,15 @@ The installation failed during the second boot phase while attempting the MIGRAT
<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
8007001F - 0x3000D
</table>
<br><table cellspacing="0" cellpadding="0">
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DATA operation.
</table>
@ -413,7 +438,8 @@ The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DAT
This error can be due to a problem with user profiles. It can occur due to corrupt registry entries under **HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList** or invalid files in the **\\Users** directory.
Note: If a previous upgrade did not complete, invalid profiles might exist in the **Windows.old\\Users** directory.
> [!NOTE]
> If a previous upgrade did not complete, invalid profiles might exist in the **Windows.old\\Users** directory.
To repair this error, ensure that deleted accounts are not still present in the Windows registry and that files under the \\Users directory are valid. Delete the invalid files or user profiles that are causing this error. The specific files and profiles that are causing the error will be recorded in the Windows setup log files.
@ -424,17 +450,15 @@ To repair this error, ensure that deleted accounts are not still present in the
<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
8007001F - 0x4000D
</table>
<br><table cellspacing="0" cellpadding="0">
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
General failure, a device attached to the system is not functioning.
</table>
@ -455,17 +479,15 @@ General failure, a device attached to the system is not functioning.
<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
8007042B - 0x4001E
</table>
<br><table cellspacing="0" cellpadding="0">
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
The installation failed during the second boot phase while attempting the PRE_OOBE operation.
</table>
@ -488,12 +510,12 @@ This error has more than one possible cause. Attempt [quick fixes](quick-fixes.m
## Other result codes
<table>
<br /><table>
<tr>
<td BGCOLOR="#a0e4fa"><B>Error code</th>
<td BGCOLOR="#a0e4fa"><B>Cause</th>
<td BGCOLOR="#a0e4fa"><B>Mitigation</th>
<td BGCOLOR="#a0e4fa"><b>Error code</b></th>
<td BGCOLOR="#a0e4fa"><b>Cause</b></th>
<td BGCOLOR="#a0e4fa"><b>Mitigation</b></th>
</tr>
<tr>
@ -508,7 +530,6 @@ This error has more than one possible cause. Attempt [quick fixes](quick-fixes.m
<td>Ensure the system you are trying to upgrade meets the minimum system requirements. <br>See <a href="https://www.microsoft.com/windows/windows-10-specifications" data-raw-source="[Windows 10 specifications](https://www.microsoft.com/windows/windows-10-specifications)">Windows 10 specifications</a> for information.</td>
</tr>
<tr>
<td>0x80090011</td>
<td>A device driver error occurred during user data migration.</td>
@ -534,13 +555,13 @@ This error has more than one possible cause. Attempt [quick fixes](quick-fixes.m
<td>Attempt other methods of upgrading the operating system.<br>
Download and run the media creation tool. See <a href="https://www.microsoft.com/software-download/windows10" data-raw-source="[Download windows 10](https://www.microsoft.com/software-download/windows10)">Download windows 10</a>.
<br>Attempt to upgrade using .ISO or USB.<br>
<strong>Note</strong>: Windows 10 Enterprise isnt available in the media creation tool. For more information, go to the <a href="https://www.microsoft.com/licensing/servicecenter/default.aspx" data-raw-source="[Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx)">Volume Licensing Service Center</a>.
<strong>Note</strong><br>Windows 10 Enterprise isnt available in the media creation tool. For more information, go to the <a href="https://www.microsoft.com/licensing/servicecenter/default.aspx" data-raw-source="[Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx)">Volume Licensing Service Center</a>.
</td>
</tr>
<tr>
<td>0x80244018</td>
<td>Your machine is connected through a proxy server.</td>
<td>Make sure Automatically Detect Settings is selected in internet options. (Control Panel > Internet Options > Connections > LAN Settings).
<td>Make sure Automatically Detect Settings is selected in internet options. (<b>Control Panel</b> > <b>Internet Options</b> > <b>Connections</b> > <b>LAN Settings</b>).
</td>
</tr>
<tr>
@ -568,34 +589,29 @@ Download and run the media creation tool. See <a href="https://www.microsoft.com
<td>0xC1900107</td>
<td>A cleanup operation from a previous installation attempt is still pending and a system reboot is required in order to continue the upgrade.
</td>
<td>Reboot the device and run setup again. If restarting device does not resolve the issue, then use the Disk Cleanup utility and cleanup the temporary as well as the System files. For more information, see <a href="https://support.microsoft.com/instantanswers/8fef4121-711b-4be1-996f-99e02c7301c2/disk-cleanup-in-windows-10" data-raw-source="[Disk cleanup in Windows 10](https://support.microsoft.com/instantanswers/8fef4121-711b-4be1-996f-99e02c7301c2/disk-cleanup-in-windows-10)">Disk cleanup in Windows 10</a>.</td>
<td>Restart the device and run setup again. If restarting the device does not resolve the issue, then use the Disk Cleanup utility and clean up the temporary files as well as the System files. For more information, see <a href="https://support.microsoft.com/instantanswers/8fef4121-711b-4be1-996f-99e02c7301c2/disk-cleanup-in-windows-10" data-raw-source="[Disk cleanup in Windows 10](https://support.microsoft.com/instantanswers/8fef4121-711b-4be1-996f-99e02c7301c2/disk-cleanup-in-windows-10)">Disk cleanup in Windows 10</a>.</td>
</tr>
<tr>
<td>0xC1900209</td>
<td>The user has chosen to cancel because the system does not pass the compatibility scan to install the update. Setup.exe will report this error when it can upgrade the machine with user data but cannot migrate installed applications.</td>
<td>Incompatible software is blocking the upgrade process. Uninstall the application and try the upgrade again. See <a href="https://blogs.technet.microsoft.com/mniehaus/2015/08/23/windows-10-pre-upgrade-validation-using-setup-exe/" data-raw-source="[Windows 10 Pre-Upgrade Validation using SETUP.EXE](https://blogs.technet.microsoft.com/mniehaus/2015/08/23/windows-10-pre-upgrade-validation-using-setup-exe/)">Windows 10 Pre-Upgrade Validation using SETUP.EXE</a> for more information.
<br>You can also download the [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526740) and install Application Compatibility Tools.
<br>You can also download the <a href="https://go.microsoft.com/fwlink/p/?LinkId=526740">Windows Assessment and Deployment Kit (ADK) for Windows 10</a> and install Application Compatibility Tools.
</td>
</tr>
<tr>
<td>0x8007002 </td>
<td>This error is specific to upgrades using System Center Configuration Manager 2012 R2 SP1 CU3 (5.00.8238.1403)</td>
<td>Analyze the SMSTS.log and verify that the upgrade is failing on &quot;Apply Operating system&quot; Phase: Error 80072efe DownloadFileWithRanges() failed. 80072efe. ApplyOperatingSystem (0x0760)
<br>The error 80072efe means that the connection with the server was terminated abnormally.
<br>To resolve this issue, try the OS Deployment test on a client in same VLAN as the Configuration Manager server. Check the network configuration for random client-server connection issues happening on the remote VLAN.
</td>
</tr>
<tr>
<td>0x80240FFF </td>
<td>Occurs when update synchronization fails. It can occur when you are using Windows Server Update Services on its own or when it is integrated with System Center Configuration Manager. If you enable update synchronization before you install <a href="https://support.microsoft.com/help/3095113/en-us">hotfix 3095113</a>, WSUS doesn&#39;t recognize the Upgrades classification and instead treats the upgrade like a regular update.</td>
<td> You can prevent this by installing <a href="https://blogs.technet.com/b/wsus/archive/2015/12/04/important-update-for-wsus-4-0-kb-3095113.aspx">hotfix 3095113</a> before you enable update synchronization. However, if you have already run into this problem, do the following:
<td>Occurs when update synchronization fails. It can occur when you are using Windows Server Update Services on its own or when it is integrated with System Center Configuration Manager. If you enable update synchronization before you install <a href="https://support.microsoft.com/help/3095113/">hotfix 3095113</a>, WSUS doesn&#39;t recognize the Upgrades classification and instead treats the upgrade like a regular update.</td>
<td> You can prevent this by installing <a href="https://blogs.technet.microsoft.com/wsus/2015/12/03/important-update-for-wsus-4-0-kb-3095113/">hotfix 3095113</a> before you enable update synchronization. However, if you have already run into this problem, do the following:
<ol>
<li>Disable the Upgrades classification.</li>
<li>Install hotfix 3095113.</li>
@ -603,21 +619,20 @@ Download and run the media creation tool. See <a href="https://www.microsoft.com
<li>Enable the Upgrades classification.</li>
<li>Perform a full synch.</li>
</ol>
<br>For detailed information on how to run these steps check out <a href="https://blogs.technet.com/b/wsus/archive/2016/01/30/quot-help-i-synched-upgrades-too-soon-quot.aspx">How to delete upgrades in WSUS</a>.</p>
For detailed information on how to run these steps check out <a href="https://blogs.technet.microsoft.com/wsus/2016/01/29/how-to-delete-upgrades-in-wsus/">How to delete upgrades in WSUS</a>.</p>
</td>
</tr>
<tr>
<td>0x8007007E</td>
<td>Occurs when update synchronization fails because you do not have <a href="https://support.microsoft.com/help/3095113/en-us">hotfix 3095113</a> installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downloaded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you are using standalone Windows Server Update Services or when WSUS is integrated with System Center Configuration Manager.</td>
<td>Occurs when update synchronization fails because you do not have <a href="https://support.microsoft.com/help/3095113/">hotfix 3095113</a> installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downloaded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you are using standalone Windows Server Update Services or when WSUS is integrated with System Center Configuration Manager.</td>
<td> Use the following steps to repair Windows Server Update Services. You must run these steps on each WSUS server that synched metadata before you installed the hotfix.
<ol>
<li>Stop the Windows Update service. Sign in as a user with administrative privileges, and then do the following:
<ol>
<li>Open <b>Administrative Tools</b> from the Control Panel.</li>
<li>Double-click <b>Services</b>.</li>
<li>Find the <b>Windows Update</b> service, right-click it, and then click <b>Stop</b>. If prompted, enter your credentials.</li>
<li>Find the <b>Windows Update</b> service, right-click it, and then select <b>Stop</b>. If prompted, enter your credentials.</li>
</ol>
</li>
<li>Delete all files and folders under c:\Windows\SoftwareDistribution\DataStore.</li>
@ -630,7 +645,7 @@ Download and run the media creation tool. See <a href="https://www.microsoft.com
## Other error codes
<table>
<br><table>
<tr><td BGCOLOR="#a0e4fa">Error Codes<td BGCOLOR="#a0e4fa">Cause<td BGCOLOR="#a0e4fa">Mitigation</td></tr>
<tr><td>0x80070003- 0x20007
@ -657,9 +672,9 @@ Alternatively, re-create installation media the [Media Creation Tool](https://ww
<td>The computer doesnt meet the minimum requirements to download or upgrade to Windows 10.
<td>See <a href="https://www.microsoft.com/windows/windows-10-specifications" data-raw-source="[Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications)">Windows 10 Specifications</a> and verify the computer meets minimum requirements.
See <a href="https://www.microsoft.com/windows/windows-10-specifications" data-raw-source="[Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications)">Windows 10 Specifications</a> and verify the computer meets minimum requirements.
<br>Review logs for [compatibility information](https://blogs.technet.microsoft.com/askcore/2016/01/21/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues/).</td></tr>
Review logs for [compatibility information](https://blogs.technet.microsoft.com/askcore/2016/01/21/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues/).</td></tr>
<tr><td>0x80070004 - 0x3000D
<td>This is a problem with data migration during the first boot phase. There are multiple possible causes.
@ -680,7 +695,8 @@ Alternatively, re-create installation media the [Media Creation Tool](https://ww
<td>These errors indicate the computer does not have enough free space available to install the upgrade.
<td>To upgrade a computer to Windows 10, it requires 16 GB of free hard drive space for a 32-bit OS, and 20 GB for a 64-bit OS. If there is not enough space, attempt to <a href="https://support.microsoft.com/help/17421/windows-free-up-drive-space" data-raw-source="[free up drive space](https://support.microsoft.com/help/17421/windows-free-up-drive-space)">free up drive space</a> before proceeding with the upgrade.
<br>Note: If your device allows it, you can use an external USB drive for the upgrade process. Windows setup will back up the previous version of Windows to a USB external drive. The external drive must be at least 8GB (16GB is recommended). The external drive should be formatted using NTFS. Drives that are formatted in FAT32 may run into errors due to FAT32 file size limitations. USB drives are preferred over SD cards because drivers for SD cards are not migrated if the device does not support Connected Standby.
> [!NOTE]
> If your device allows it, you can use an external USB drive for the upgrade process. Windows setup will back up the previous version of Windows to a USB external drive. The external drive must be at least 8GB (16GB is recommended). The external drive should be formatted using NTFS. Drives that are formatted in FAT32 may run into errors due to FAT32 file size limitations. USB drives are preferred over SD cards because drivers for SD cards are not migrated if the device does not support Connected Standby.
</td></tr>
</table>
@ -714,8 +730,8 @@ Also see the following sequential list of modern setup (mosetup) error codes wit
| 0XC190011f | MOSETUP_E_PROCESS_CRASHED | The installation process crashed. |
| 0XC1900120 | MOSETUP_E_EULA_TIMEOUT | The user has not accepted Eula within the required time limit. |
| 0XC1900121 | MOSETUP_E_ADVERTISE_TIMEOUT | The user has not accepted Advertisement within the required time limit. |
| 0XC1900122 | MOSETUP_E_DOWNLOADDISKSPACE_TIMEOUT | The download diskspace issues were not resolved within the required time limit. |
| 0XC1900123 | MOSETUP_E_INSTALLDISKSPACE_TIMEOUT | The install diskspace issues were not resolved within the required time limit. |
| 0XC1900122 | MOSETUP_E_DOWNLOADDISKSPACE_TIMEOUT | The download disk space issues were not resolved within the required time limit. |
| 0XC1900123 | MOSETUP_E_INSTALLDISKSPACE_TIMEOUT | The install disk space issues were not resolved within the required time limit. |
| 0XC1900124 | MOSETUP_E_COMPAT_SYSREQ_TIMEOUT | The minimum requirements compatibility issues were not resolved within the required time limit. |
| 0XC1900125 | MOSETUP_E_COMPAT_DOWNLOADREQ_TIMEOUT | The compatibility issues for download were not resolved within the required time limit. |
| 0XC1900126 | MOSETUP_E_GATHER_OS_STATE_SIGNATURE | The GatherOsState executable has invalid signature. |
@ -744,9 +760,9 @@ Also see the following sequential list of modern setup (mosetup) error codes wit
| 0XC1900209 | MOSETUP_E_COMPAT_INSTALLREQ_CANCEL | The user has chosen to cancel because the system does not pass the compat scan to install the update. |
| 0XC190020a | MOSETUP_E_COMPAT_RECOVERYREQ_BLOCK | The system does not pass the minimum requirements to recover Windows. |
| 0XC190020b | MOSETUP_E_COMPAT_RECOVERYREQ_CANCEL | The user has chosen to cancel because the system does not pass the minimum requirements to recover Windows. |
| 0XC190020c | MOSETUP_E_DOWNLOADDISKSPACE_BLOCK | The system does not pass the diskspace requirements to download the payload. |
| 0XC190020c | MOSETUP_E_DOWNLOADDISKSPACE_BLOCK | The system does not pass the disk space requirements to download the payload. |
| 0XC190020d | MOSETUP_E_DOWNLOADDISKSPACE_CANCEL | The user has chosen to cancel as the device does not have enough disk space to download. |
| 0XC190020e | MOSETUP_E_INSTALLDISKSPACE_BLOCK | The system does not pass the diskspace requirements to install the payload. |
| 0XC190020e | MOSETUP_E_INSTALLDISKSPACE_BLOCK | The system does not pass the disk space requirements to install the payload. |
| 0XC190020f | MOSETUP_E_INSTALLDISKSPACE_CANCEL | The user has chosen to cancel as the device does not have enough disk space to install. |
| 0XC1900210 | MOSETUP_E_COMPAT_SCANONLY | The user has used the setup.exe command line to do scanonly, not to install the OS. |
| 0XC1900211 | MOSETUP_E_DOWNLOAD_UNPACK_DISKSPACE_BLOCK | The system does not pass the disk space requirements to download and unpack media. |
@ -765,8 +781,8 @@ Also see the following sequential list of modern setup (mosetup) error codes wit
## Related topics
[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
<br>[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
<br>[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
<br>[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
<br>[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
- [Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
- [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
- [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
- [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/home?category=Windows10ITPro)
- [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)

108
windows/deployment/windows-autopilot/autopilot-faq.md
View File

@ -1,6 +1,6 @@
---
title: Windows Autopilot FAQ
ms.reviewer: This topic provides OEMs, partners, administrators, and end-users with answers to some frequently asked questions about deploying Windows 10 with Windows Autopilot.
ms.reviewer: This topic provides OEMs, partners, administrators, and end users with answers to some frequently asked questions about deploying Windows 10 with Windows Autopilot.
manager: laurawi
description: Support information for Windows Autopilot
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
@ -21,35 +21,35 @@ ms.topic: article
**Applies to: Windows 10**
This topic provides OEMs, partners, administrators, and end-users with answers to some frequently asked questions about deploying Windows 10 with Windows Autopilot.
This article provides OEMs, partners, administrators, and end users with answers to some frequently asked questions about deploying Windows 10 with Windows Autopilot.
A [glossary](#glossary) of abbreviations used in this topic is provided at the end.
A [glossary](#glossary) of abbreviations used in this article is provided at the end.
## Microsoft Partner Center
| Question | Answer |
| --- | --- |
| In the Partner Center, does the Tenant ID need to be provided with every device file upload? Is this needed to allow the business customer to access their devices in MSfB? | No. Providing the Tenant ID is a one-time entry in the Partner Center that can be re-used with future device uploads. |
| How does the customer or tenant know that their devices are ready to be claimed in MSfB? | After the device file upload is completed in the Partner Center, the tenant can see the devices available for Windows Autopilot setup in MSfB. The OEM would need to advise the tenant to access MSfB. Auto-notification from MSfB to the tenant is being developed. |
| How does a customer authorize an OEM or Channel Partner to register Autopilot devices on the customers behalf? | Before an OEM or Channel Partner can register a device for Autopilot on behalf of a customer, the customer must first give them consent. The consent process begins with the OEM or Channel Partner sending a link to the customer, which directs the customer to a consent page in Microsoft Store for Business. The steps explaining this process are [here](registration-auth.md). |
| Are there any restrictions if a business customer has registered devices in MSfB and later wants those devices to be managed by a CSP via the Partner Center? | The devices will need to be deleted in MSfB by the business customer before the CSP can upload and manage them in the Partner Center. |
| Does Windows Autopilot support removing the option to enable a local administrator account? | Windows Autopilot doesnt support removing the local admin account. However, it does support restricting the user performing AAD domain join in OOBE to a standard account (versus admin account by default).|
| How can I test the Windows Autopilot CSV file in the Partner Center? | Only CSP Partners have access to the Partner Center portal. If you are a CSP, you can create a Sales agent user account which has access to “Devices” for testing the file. This can be done today in the Partner Center. <br><br>Go [here](https://msdn.microsoft.com/partner-center/create-user-accounts-and-set-permissions) for more information. |
| Must I become a Cloud Solution Provider (CSP) to participate in Windows Autopilot? | Top volume OEMs do not, as they can use the OEM Direct API. All others who choose to use MPC to register devices must become CSPs in order to access MPC. |
| Do the different CSP levels have all the same capabilities when it comes to Windows Autopilot? | For purposes of Windows Autopilot, there are three different types of CSPs, each with different levels of authority an access: <br><br>1. <b>Direct CSP</b>: Gets direct authorization from the customer to register devices. <br><br>2. <b>Indirect CSP Provider</b>: Gets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center. <br><br>3. <b>Indirect CSP Reseller</b>: Gets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which mean that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs. |
| In the Partner Center, does the Tenant ID need to be provided with every device file upload? Is it needed to allow the business customer to access their devices in Microsoft Store for Business (MSfB)? | No. Providing the Tenant ID is a one-time entry in the Partner Center that can be reused with future device uploads. |
| How does the customer or tenant know that their devices are ready to be claimed in MSfB? | After the device file upload is completed in the Partner Center, the tenant can see the devices available for Windows Autopilot setup in MSfB. The OEM needs to advise the tenant to access MSfB. Autonotification from MSfB to the tenant is being developed. |
| How does a customer authorize an OEM or Channel Partner to register Autopilot devices on the customers behalf? | Before an OEM or Channel Partner can register a device for Autopilot on behalf of a customer, the customer must first give them consent. The consent process begins with the OEM or Channel Partner sending a link to the customer that directs the customer to a consent page in MSfB. For more information, see [Registration](registration-auth.md). |
| Are there any restrictions if a business customer has registered devices in MSfB and later wants those devices to be managed by a Cloud Solution Provider (CSP) using the Partner Center? | The devices will need to be deleted in MSfB by the business customer before the CSP can upload and manage them in the Partner Center. |
| Does Windows Autopilot support removing the option to enable a local administrator account? | Windows Autopilot doesnt support removing the local admin account. However, it does support restricting the user performing Azure Active Directory (Azure AD) domain join in OOBE to a standard account (versus an administrator account by default).|
| How can I test the Windows Autopilot CSV file in the Partner Center? | Only CSP Partners have access to the Partner Center portal. If you are a CSP, you can create a Sales agent user account that has access to devices for testing the file. This can be done today in the Partner Center. <br><br>For more information, see [Create user accounts and set permissions](https://msdn.microsoft.com/partner-center/create-user-accounts-and-set-permissions). |
| Must I become a CSP to participate in Windows Autopilot? | Top volume OEMs do not, as they can use the OEM Direct API. All others who choose to use MPC to register devices must become CSPs in order to access MPC. |
| Do the different CSP levels have all the same capabilities when it comes to Windows Autopilot? | For purposes of Windows Autopilot, there are three different types of CSPs, each with different levels of authority and access: <br><br>1. <b>Direct CSP</b>: Gets direct authorization from the customer to register devices. <br><br>2. <b>Indirect CSP Provider</b>: Gets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center. <br><br>3. <b>Indirect CSP Reseller</b>: Gets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which means that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs. |
## Manufacturing
| Question | Answer |
| --- | --- |
| What changes need to be made in the factory OS image for customer configuration settings? |No changes are required on the factory floor to enable Windows Autopilot deployment. |
| What version of the OA3 tool meets Windows Autopilot deployment requirements? | Windows Autopilot can work with any version of the OA3 tool. We recommend using Windows 10, version 1703 and above to generate the 4K Hardware Hash. |
| At the time of placing an order, do customers need to be state whether they want it with or without Windows Autopilot options? | Yes, if they want Windows Autopilot, they will want Windows 10, version 1703 or later versions. Also, they will want to receive the CSV file or have the file upload (i.e., registration) completed on their behalf. |
| What version of the OA3 tool meets Windows Autopilot deployment requirements? | Windows Autopilot can work with any version of the OA3 tool. We recommend using Windows 10, version 1703 and above to generate the 4K hardware hash. |
| At the time of placing an order, do customers need to be state whether they want it with or without Windows Autopilot options? | Yes, if they want Windows Autopilot, they will want Windows 10, version 1703 or later versions. Also, they will want to receive the CSV file or have the file upload (that is, registration) completed on their behalf. |
| Does the OEM need to manage or collect any custom imaging files from customers and perform any image uploads to Microsoft? | No change, OEMs just send the CBRs as usual to Microsoft. No images are sent to Microsoft to enable Windows Autopilot. Windows Autopilot only customizes OOBE and allows policy configurations (disables admin account, for example). |
| Are there any customer impacts to upgrading from Windows 8 to Windows 10? | The devices must have Windows 10, version 1703 or later to enroll in Windows Autopilot deployment, otherwise no impacts. |
| Will there be any change to the existing CBR with 4k Hardware Hash? | No. |
| What new information needs to be sent from the OEM to Microsoft? | Nothing, unless the OEM opts to register the device on the customers behalf, in which case they would upload the device ID via a CSV file into Microsoft Partner Center, or use the OEM Direct API. |
| Are there any customer impacts to upgrading from Windows 8 to Windows 10? | The devices must have Windows 10, version 1703 or later to enroll in Windows Autopilot deployment. Otherwise, there are no impacts. |
| Will there be any change to the existing CBR with 4K hardware hash? | No. |
| What new information needs to be sent from the OEM to Microsoft? | Nothing, unless the OEM opts to register the device on the customers behalf, in which case they would upload the device ID using a CSV file into Microsoft Partner Center, or use the OEM Direct API. |
| Is there a contract or amendment for an OEM to participate in Windows Autopilot Deployment? | No. |
## CSV schema
@ -57,72 +57,72 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e
| Question | Answer |
| --- | --- |
| Can a comma be used in the CSV file? | No. |
| What error messages can a user expect to see in the Partner Center or MSfB when uploading a file? | See the In Microsoft Store for Business section of this guide. |
| What error messages can a user expect to see in the Partner Center or MSfB when uploading a file? | See the In Microsoft Store for Business section of this guide. |
| Is there a limit to the number of devices that can be listed in the CSV file? | Yes, the CSV file can only contain 1,000 devices to apply to a single profile. If more than 1,000 devices need to be applied to a profile, the devices need to be uploaded through multiple CSV files. |
| Does Microsoft have any recommendations on how an OEM should provide the CSV file to their customers? | Microsoft recommends encrypting the CSV file when sending to the business customer to self-register their Windows Autopilot devices (either through MPC, MSfB, or Intune). |
| Does Microsoft have any recommendations on how an OEM should provide the CSV file to their customers? | We recommend encrypting the CSV file when sending to the business customer to self-register their Windows Autopilot devices (either through MPC, MSfB, or Intune). |
## Hardware hash
| Question | Answer |
| --- | --- |
| Must every Hardware Hash submitted by the OEM contain the SMBIOS UUID (universally unique identifier), MAC (media access control) address and unique disk serial number (if using Windows 10, version 1703 and above OEM Activation 3.0 tool)? | Yes. Since Windows Autopilot is based on the ability to uniquely identify devices applying for cloud configuration, it is critical to submit Hardware Hashes which meet the outlined requirement. |
| What is the reason for needing the SMBIOS UUID, MAC Address and Disk Serial Number in the Hardware Hash details? | For creating the Hardware Hash, these are the fields that are needed to identify a device, as parts of the device are added/removed. Since we dont have a unique identifier for Windows devices, this is the best logic to identify a device. |
| What is difference between OA3 Hardware Hash, 4K Hardware Hash, and Windows Autopilot Hardware Hash? | None. Theyre different names for the same thing. The Windows 10, 1703 version of the OA3 tool output is called the OA3 Hash, which is 4K in size, which is usable for the Windows Autopilot deployment scenario. Note: When using a non-1703 version OA3Tool, you get a different sized Hash, which may not be used for Windows Autopilot deployment. |
| What is the thought around parts replacement and/or repair for the NIC (network interface controller) and/or Disk? Will the Hardware Hash become invalid? | Yes. If you replace parts, you need to gather the new Hardware Hash, though it depends on what is replaced, and the characteristics of the parts. For example, if you replace the TPM or motherboard, its a new device you MUST have new Hardware Hash. If you replace one network card, its probably not a new device, and the device will function with the old Hardware Hash. However, as a best practice, you should assume the old Hardware Hash is invalid and get a new Hardware Hash after any hardware changes this is Microsofts strong recommendation any time you replace parts. |
| Must every hardware hash submitted by the OEM contain the SMBIOS UUID (universally unique identifier), MAC (media access control) address, and unique disk serial number (if using Windows 10, version 1703 and above OEM Activation 3.0 tool)? | Yes. Since Windows Autopilot is based on the ability to uniquely identify devices applying for cloud configuration, it is critical to submit hardware hashes that meet the outlined requirement. |
| What is the reason for needing the SMBIOS UUID, MAC Address, and Disk Serial Number in the hardware hash details? | For creating the hardware hash, these are the fields that are needed to identify a device, as parts of the device are added or removed. Since we dont have a unique identifier for Windows devices, this is the best logic to identify a device. |
| What is difference between OA3 hardware hash, 4K hardware hash, and Windows Autopilot hardware hash? | None. Theyre different names for the same thing. The Windows 10, 1703 version of the OA3 tool output is called the OA3 Hash, which is 4K in size, which is usable for the Windows Autopilot deployment scenario. Note: When using a non-1703 version OA3Tool, you get a different sized Hash, which may not be used for Windows Autopilot deployment. |
| What is the thought around parts replacement and repair for the NIC (network interface controller) and Disk? Will the hardware hash become invalid? | Yes. If you replace parts, you need to gather the new hardware hash, though it depends on what is replaced, and the characteristics of the parts. For example, if you replace the TPM or motherboard, its a new device and you must have new hardware hash. If you replace one network card, its probably not a new device, and the device will function with the old hardware hash. However, as a best practice, you should assume the old hardware hash is invalid and get a new hardware hash after any hardware changes. This is recommended anytime you replace parts. |
## Motherboard replacement
| Question | Answer |
| --- | --- |
| How does Autopilot handle motherboard replacement scenarios? | Motherboard replacement is out for scope for Autopilot. Any device that is repaired or serviced in a way that alters the ability to identify the device for Windows Autopilot must go through the normal OOBE process, and manually select the right settings or apply a custom image - as is the case today. <br><br>To reuse the same device for Windows Autopilot after a motherboard replacement, the device would need to be de-registered from Autopilot, the motherboard replaced, a new 4K HH harvested, and then re-registered using the new 4K HH (or device ID). <br><br>**Note**: An OEM will not be able to use the OEM Direct API to re-register the device, since the OEM Direct API only accepts a tuple or PKID. In this case, the OEM would either have to send the new 4K HH info via a CSV file to customer, and let customer reregister the device via MSfB or Intune.|
| How does Autopilot handle motherboard replacement scenarios? | Motherboard replacement is out for scope for Autopilot. Any device that is repaired or serviced in a way that alters the ability to identify the device for Windows Autopilot must go through the normal OOBE process, and manually select the right settings or apply a custom image, as is the case today. <br><br>To reuse the same device for Windows Autopilot after a motherboard replacement, the device would need to be de-registered from Autopilot, the motherboard replaced, a new 4K HH harvested, and then re-registered using the new 4K hardware hash (or device ID). <br><br>**Note**: An OEM will not be able to use the OEM Direct API to re-register the device, since the OEM Direct API only accepts a tuple or PKID. In this case, the OEM would either have to send the new 4K hardware hash information using a CSV file to customer, and let customer reregister the device using MSfB or Intune.|
## SMBIOS
| Question | Answer |
| --- | --- |
| Any specific requirement to SMBIOS UUID? | It must be unique as specified in the Windows 10 hardware requirements. |
| What is the requirement on the SMBIOS table to meet the Windows Autopilot Hardware Hash need? | It must meet all the Windows 10 hardware requirements. Additional details may be found [here](https://msdn.microsoft.com/library/jj128256(v=vs.85).aspx). |
| If the SMBIOS supports UUID and Serial Number, is it enough for the OA3 tool to generate the Hardware Hash? | No. At a minimum, the following SMBIOS fields need to be populated with unique values: ProductKeyID SmbiosSystemManufacturer SmbiosSystemProductName SmbiosSystemSerialNumber SmbiosSkuNumber SmbiosSystemFamily MacAddress SmbiosUuid DiskSerialNumber TPM EkPub |
| What is the requirement on the SMBIOS table to meet the Windows Autopilot hardware hash need? | It must meet all the Windows 10 hardware requirements. Additional details may be found [here](https://msdn.microsoft.com/library/jj128256(v=vs.85).aspx). |
| If the SMBIOS supports UUID and Serial Number, is it enough for the OA3 tool to generate the hardware hash? | No. At a minimum, the following SMBIOS fields need to be populated with unique values: ProductKeyID SmbiosSystemManufacturer SmbiosSystemProductName SmbiosSystemSerialNumber SmbiosSkuNumber SmbiosSystemFamily MacAddress SmbiosUuid DiskSerialNumber TPM EkPub |
## Technical interface
| Question | Answer |
| --- | --- |
| What is the interface to get the MAC Address and Disk Serial Number? How does the OA tool get MAC and Disk Serial #? | Disk serial number is found from IOCTL_STORAGE_QUERY_PROPERTY with StorageDeviceProperty/PropertyStandardQuery. Network MAC address is IOCTL_NDIS_QUERY_GLOBAL_STATS from OID_802_3_PERMANENT_ADDRESS. However the exact mechanisms/”interface” for doing this operation varies depending on the exact scenario being discussed. |
| Follow up clarification: If we have 2-3 MACs on the system, how does OA Tool choose which MAC Address and Disk Serial Number on the system since there are multiple instances of each? If a platform has LAN And WLAN, which MAC is chosen? | In short, all available values are used. In detail, there may be extra specific usage rules. The System disk serial number is more important than any other disks available. Network interfaces that are removable should not be used if detected as they are removable. LAN vs WLAN should not matter, both will be used. |
| What is the interface to get the MAC Address and Disk Serial Number? How does the OA tool get MAC and Disk Serial #? | Disk serial number is found from IOCTL_STORAGE_QUERY_PROPERTY with StorageDeviceProperty/PropertyStandardQuery. Network MAC address is IOCTL_NDIS_QUERY_GLOBAL_STATS from OID_802_3_PERMANENT_ADDRESS. However the method for performing this operation varies depending on the scenario. |
| Follow up clarification: If we have 2-3 MACs on the system, how does OA Tool choose which MAC Address and Disk Serial Number are on the system since there are multiple instances of each? If a platform has LAN And WLAN, which MAC is chosen? | In short, all available values are used. In detail, there may be specific usage rules. The system disk serial number is more important than the other disks available. Network interfaces that are removable should not be used if detected as they are removable. LAN vs WLAN should not matter, as both will be used. |
## The end user experience
## The end-user experience
|Question|Answer|
|----|-----|
|How do I know that I received Autopilot?|You can tell that you received Windows Autopilot (as in the device received a configuration but has not yet applied it) when you skip the selection page (as seen below), and are immediately taken to a generic or customized sign-in page.|
|Windows Autopilot didnt work, what do I do now?| Questions and actions to assist in troubleshooting: Did a screen not get skipped? Did a user end up as an admin when configured not to? Remember that AAD Admins will be local admins regardless of whether Windows Autopilot is configured to disable local admin Collection information run licensingdiag.exe and send the .cab (Cabinet file) file that is generated to AutopilotHelp@microsoft.com. If possible, collect an ETL from WPR. Often in these cases, users are not signing into the right AAD tenant, or are creating local user accounts. For a complete list of support options, refer to [Windows Autopilot support](autopilot-support.md). |
| If an Administrator makes changes to an existing profile, will the changes take effect on devices that have that profile assigned to them that have already been deployed? |No. Windows Autopilot profiles are not resident on the device. They are downloaded during OOBE, the settings defined at the time are applied. Then, the profile is discarded on the device. If the device is re-imaged or reset, the new profile settings will take effect the next time the device goes through OOBE.|
|What is the experience if a device isnt registered or if an IT Admin doesnt configure Windows Autopilot prior to an end user attempting to self-deploy? |If the device isnt registered, it will not receive the Windows Autopilot experience and the end user will go through normal OOBE. The Windows Autopilot configurations will NOT be applied until the user runs through OOBE again, after registration. If a device is started before an MDM profile is created, the device will go through standard OOBE experience. The IT Admin would then have to manually enroll that device into the MDM, after which—the next time that device is “reset”—it will go through the Windows Autopilot OOBE experience.|
|What may be a reason why I did not receive a customized sign-in screen during Autopilot? |Tenant branding must be configured in portal.azure.com to receive a customized sign-in experience.|
|What happens if a device is registered with Azure AD but does not have an Windows Autopilot profile assigned? |The regular AAD OOBE will occur since no Windows Autopilot profile was assigned to the device.|
|How can I collect logs on Autopilot?|The best way to collect logs on Windows Autopilot performance is to collect a Windows Performance Recorder (WPR) trace during OOBE. The XML file (WPRP extension) for this trace may be provided upon request.|
|Windows Autopilot didnt work, what do I do now?| Questions and actions to assist in troubleshooting: Did a screen not get skipped? Did a user end up as an admin when configured not to? Remember that Azure AD Admins will be local admins regardless of whether Windows Autopilot is configured to disable local admin Collection information: run licensingdiag.exe and send the .cab (Cabinet) file that is generated to AutopilotHelp@microsoft.com. If possible, collect an ETL from Windows Performance Recorder (WPR). Often in these cases, users are not signing into the right Azure AD tenant, or are creating local user accounts. For a complete list of support options, refer to [Windows Autopilot support](autopilot-support.md). |
| If an Administrator makes changes to an existing profile, will the changes take effect on devices that have that profile assigned to them that have already been deployed? |No. Windows Autopilot profiles are not resident on the device. They are downloaded during OOBE, the settings defined at the time are applied. Then, the profile is discarded on the device. If the device is reimaged or reset, the new profile settings will take effect the next time the device goes through OOBE.|
|What is the experience if a device isnt registered or if an IT Admin doesnt configure Windows Autopilot prior to an end user attempting to self-deploy? |If the device isnt registered, it will not receive the Windows Autopilot experience and the end user will go through normal OOBE. The Windows Autopilot configurations will not be applied until the user runs through OOBE again, after registration. If a device is started before an MDM profile is created, the device will go through standard OOBE experience. The IT Admin would then have to manually enroll that device into the MDM, after which the next time that device is reset, it will go through the Windows Autopilot OOBE experience.|
|Why didn't I receive a customized sign-in screen during Autopilot? |Tenant branding must be configured in portal.azure.com to receive a customized sign-in experience.|
|What happens if a device is registered with Azure AD but does not have a Windows Autopilot profile assigned? |The regular Azure AD OOBE will occur since no Windows Autopilot profile was assigned to the device.|
|How can I collect logs on Autopilot?|The best way to collect logs on Windows Autopilot performance is to collect a WPR trace during OOBE. The XML file (WPRP extension) for this trace may be provided upon request.|
## MDM
| Question | Answer |
| --- | --- |
| Must we use Intune for our MDM? | No. No, any MDM will work with Autopilot, but others probably wont have the same full suite of Windows Autopilot features as Intune. Youll get the best experience from Intune. |
| Must we use Intune for our MDM? | No, any MDM will work with Autopilot, but others probably wont have the same full suite of Windows Autopilot features as Intune. Youll get the best experience from Intune. |
| Can Intune support Win32 app preinstalls? | Yes. Starting with the Windows 10 October Update (version 1809), Intune supports Win32 apps using .msi (and .msix) wrappers. |
| What is co-management? | Co-management is when you use a combination of a cloud MDM tool (Intune) and an on-premises configuration tool like System Center Configuration Manager (SCCM). You only need to use SCCM if Intune cant support what you want to do with your profile. If you choose to co-manage using Intune + SCCM, you do it by including an SCCM agent in your Intune profile. When that profile is pushed to the device, the device will see the SCCM agent and go out to SCCM to pull down any additional profile settings. |
| Must we use System Center Configuration Manager (SCCM) for Windows Autopilot | No. Co-management (described above) is optional. |
| Must we use SCCM for Windows Autopilot | No. Co-management (described above) is optional. |
## Features
| Question | Answer |
| --- | --- |
| Self-deploying mode | A new version of Windows Autopilot where the user only turns on the device, and nothing else. Its useful for scenarios where a standard user account isnt needed (e.g., shared devices, or KIOSK devices). |
| Self-deploying mode | A new version of Windows Autopilot where the user only turns on the device, and nothing else. Its useful for scenarios where a standard user account isnt needed (for example, shared devices, or KIOSK devices). |
| Hybrid Azure Active Directory join | Allows Windows Autopilot devices to connect to an on-premises Active Directory domain controller (in addition to being Azure AD joined). |
| Windows Autopilot reset | Removes user apps and settings from a device, but maintains AAD domain join and MDM enrollment. Useful for when transferring a device from one user to another. |
| Personalization | Adds the following to the OOBE experience: A personalized welcome message can be created A username hint can be added Sign-in page text can be personalized The companys logo can be included |
| [Autopilot for existing devices](existing-devices.md) | Offers an upgrade path to Windows Autopilot for all existing Win 7/8 devices. |
| Windows Autopilot reset | Removes user apps and settings from a device, but maintains Azure AD domain join and MDM enrollment. Useful for when transferring a device from one user to another. |
| Personalization | Adds the following to the OOBE experience: A personalized welcome message can be created. A username hint can be added Sign-in page text can be personalized. The companys logo can be included |
| [Autopilot for existing devices](existing-devices.md) | Offers an upgrade path to Windows Autopilot for all existing Windows 7- and Windows 8-based devices. |
@ -131,20 +131,20 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e
|Question|Answer
|------------------|-----------------|
|If I wipe the machine and restart, will I still receive Windows Autopilot?|Yes, if the device is still registered for Windows Autopilot and is running Windows 10, version 1703 7B and above releases, it will receive the Windows Autopilot experience.|
|Can I harvest the device fingerprint on existing machines?|Yes, if the device is running Windows 10, version 1703 and above, you can harvest device fingerprints for registration. There are no plans to backport the functionality to previous releases and no way to harvest them on pre-Windows 10 Windows 10, version 1703 devices that have not been updated to Windows 10, version 1703.|
|What is Windows 10, version 1703 7B and why does it matter?| Windows 10, version 1703 7B is a Windows 10, version 1703 image bundled with cumulative updates. To receive Autopilot, clients **must** run Windows 10, version 1703 7B or later. These cumulative updates contain a critical fix for Autopilot. Consider the following:<br><br><I>Windows Autopilot will not apply its profiles to the machine unless AAD credentials match the expected AAD tenant. For the Windows 10, version 1703 release, it was assumed that would be determined by the domain name, so the domain name used to register (for example contoso.com) should match the domain name used to sign in (for example user@contoso.com). But what happens if your tenant has multiple domains (for example us.contoso.com, or fr.contoso.com)? Since these domain names do not match, the device will not be configured for Autopilot. However, both domains are part of the same AAD tenant, and as such it was determined the matching scheme was not useful. This was improved upon by making use of the tenant ID. By using the tenant ID, we can determine that if the user signs into a domain with a tenant matching the one they registered with, we can safely consider this to be a match. The fix for this problem already exists in Windows 10, version 1709 and was backported into the Windows 10, version 1703 7B release.</I> <br><br>**Key takeaways**: When using pre-Windows 10, version 1703 7B clients the users domain **must** match the domain they registered with. This functionality is found in Windows 10 version 1709 clients using build >= 16215, and Windows 10, version 1703 clients >= 7B. |
|Can I harvest the device fingerprint on existing machines?|Yes, if the device is running Windows 10, version 1703 and above, you can harvest device fingerprints for registration. There are no plans to backport the functionality to previous releases and no way to harvest them on pre-Windows 10, version 1703 devices that have not been updated to Windows 10, version 1703.|
|What is Windows 10, version 1703 7B and why does it matter?| Windows 10, version 1703 7B is a Windows 10, version 1703 image bundled with cumulative updates. To receive Autopilot, clients must run Windows 10, version 1703 7B or later. These cumulative updates contain a critical fix for Autopilot. Consider the following:<br><br><I>Windows Autopilot will not apply its profiles to the machine unless Azure AD credentials match the expected Azure AD tenant. For the Windows 10, version 1703 release, it was assumed that would be determined by the domain name, so the domain name used to register (for example contoso.com) should match the domain name used to sign in (for example user@contoso.com). But what happens if your tenant has multiple domains (for example us.contoso.com, or fr.contoso.com)? Since these domain names do not match, the device will not be configured for Autopilot. However, both domains are part of the same Azure AD tenant, and as such it was determined the matching scheme was not useful. This was improved upon by making use of the tenant ID. By using the tenant ID, you can determine that if the user signs into a domain with a tenant matching the one they registered with, you can safely consider this to be a match. The fix for this problem already exists in Windows 10, version 1709 and was backported into the Windows 10, version 1703 7B release.</I> <br><br>**Key takeaways**: When using pre-Windows 10, version 1703 7B clients the users domain must match the domain they registered with. This functionality is found in Windows 10 version 1709 clients using build >= 16215, and Windows 10, version 1703 clients >= 7B. |
|What is the impact of not updating to 7B?|See the detailed scenario described directly above.|
|Is Windows Autopilot supported on other SKUs, e.g. Surface Hub, HoloLens, Windows Mobile.|No, Windows Autopilot isnt supported on other SKUs.|
|Does Windows Autopilot work after MBR or image re-installation?|Yes.|
| Can machines that have reimaged a few times go through Autopilot? What does the error message "This user is not authorized to enroll" mean? Error code 801c0003. |There are limits to the number of devices a particular AAD user can enroll in AAD, as well as the number of devices that are supported per user in Intune. (These are somewhat configurable but not infinite.) Youll run into this frequently if you reuse the devices, or even if you roll back to previous virtual machine snapshots.|
|What happens if a device is registered to a malicious agent? |By design, Windows Autopilot does not apply a profile until the user signs in with the matching tenant for the configured profile via the AAD sign-in process. What occurs is illustrated below. If badguys.com registers a device owned by contoso.com, at worst, the user would be directed to sign into badguys.com. When the user enters their email/password, the sign-in information is redirected through AAD to the proper AAD authentication and the user is prompted to then sign into contoso.com. Since contoso.com does not match badguys.com as the tenant, the Windows Autopilot profile will not be applied and the regular AAD OOBE will occur.|
|Where is the Windows Autopilot data stored? |Windows Autopilot data is stored in the United States (US), not in a sovereign cloud, even when the AAD tenant is registered in a sovereign cloud. This is applicable to all Windows Autopilot data, regardless of the portal leveraged to deploy Autopilot.|
|Why is Windows Autopilot data stored in the US and not in a sovereign cloud?|It is not customer data that we store, but business data which enables Microsoft to provide a service, therefore it is okay for the data to reside in the US. Customers can stop subscribing to the service any time, and, in that event, the business data is removed by Microsoft.|
|How many ways are there to register a device for Windows Autopilot|There are six ways to register a device, depending on who is doing the registering: <br><br>1. OEM Direct API (only available to TVOs) <br>2. MPC via the MPC API (must be a CSP) <br>3. MPC via manual upload of CSV file in the UI (must be a CSP) <br>4. MSfB via CSV file upload <br>5. Intune via CSV file upload <br>6. Microsoft 365 Business portal via CSV file upload|
|How many ways are there to create a Windows Autopilot profile?|There are four ways to create & assign an Windows Autopilot profile: <br><br>1. Through MPC (must be a CSP) <br>2. Through MSfB <br>3. Through Intune (or another MDM) <br>4. Microsoft 365 Business portal <br><br>Microsoft recommends creation and assignment of profiles through Intune. |
| What are some common causes of registration failures? |1. Bad or missing Hardware hash entries can lead to faulty registration attempts <br>2. Hidden special characters in CSV files. <br><br>To avoid this issue, after creating your CSV file, open it in Notepad to look for hidden characters or trailing spaces or other corruptions.|
|Is Windows Autopilot supported on other SKUs, for example, Surface Hub, HoloLens, Windows Mobile.|No, Windows Autopilot isnt supported on other SKUs.|
|Does Windows Autopilot work after MBR or image reinstallation?|Yes.|
| Can machines that have reimaged a few times go through Autopilot? What does the error message "This user is not authorized to enroll" mean? Error code 801c0003. |There are limits to the number of devices a particular Azure AD user can enroll in Azure AD, as well as the number of devices that are supported per user in Intune. (These are configurable but not infinite.) Youll run into this frequently if you reuse the devices, or even if you roll back to previous virtual machine snapshots.|
|What happens if a device is registered to a malicious agent? |By design, Windows Autopilot does not apply a profile until the user signs in with the matching tenant for the configured profile using the Azure AD sign-in process. What occurs is illustrated below. If badguys.com registers a device owned by contoso.com, at worst, the user would be directed to sign into badguys.com. When the user enters their email/password, the sign-in information is redirected through Azure AD to the proper Azure AD authentication and the user is prompted to then sign into contoso.com. Since contoso.com does not match badguys.com as the tenant, the Windows Autopilot profile will not be applied and the regular Azure AD OOBE will occur.|
|Where is the Windows Autopilot data stored? |Windows Autopilot data is stored in the United States (US), not in a sovereign cloud, even when the Azure AD tenant is registered in a sovereign cloud. This is applicable to all Windows Autopilot data, regardless of the portal leveraged to deploy Autopilot.|
|Why is Windows Autopilot data stored in the US and not in a sovereign cloud?|It is not customer data that we store, but business data that enables Microsoft to provide a service, therefore it is okay for the data to reside in the US. Customers can stop subscribing to the service at any time, and, in that event, the business data is removed by Microsoft.|
|How many ways are there to register a device for Windows Autopilot|There are six ways to register a device, depending on who is doing the registering: <br><br>1. OEM Direct API (only available to TVOs) <br>2. MPC using the MPC API (must be a CSP) <br>3. MPC using manual upload of CSV file in the UI (must be a CSP) <br>4. MSfB using CSV file upload <br>5. Intune using CSV file upload <br>6. Microsoft 365 Business portal using CSV file upload|
|How many ways are there to create a Windows Autopilot profile?|There are four ways to create and assign a Windows Autopilot profile: <br><br>1. Through MPC (must be a CSP) <br>2. Through MSfB <br>3. Through Intune (or another MDM) <br>4. Microsoft 365 Business portal <br><br>Microsoft recommends creation and assignment of profiles through Intune. |
| What are some common causes of registration failures? |1. Bad or missing hardware hash entries can lead to faulty registration attempts <br>2. Hidden special characters in CSV files. <br><br>To avoid this issue, after creating your CSV file, open it in Notepad to look for hidden characters or trailing spaces or other corruptions.|
| Is Autopilot supported on IoT devices? | Autopilot is not supported on IoT Core devices, and there are currently no plans to add this support. Autopilot is supported on Windows 10 IoT Enterprise SAC devices. Autopilot is supported on Windows 10 Enterprise LTSC 2019 and above; it is not supported on earlier versions of LTSC.|
| Is Autopilot supported in all regions/countries? | Autopilot only supports customers using public Azure. Public Azure does not include the three entities listed below:<br>- Azure Germany <br>- Azure China<br>- Azure Government<br>So, if a customer is set up in global Azure, there are no region restrictions. For example, if Contoso uses global Azure but has employees working in China, the Contoso employees working in China would be able to use Autopilot to deploy devices. If Contoso uses Azure China, the Contoso employees would not be able to use Autopilot.|
| Is Autopilot supported in all regions/countries? | Autopilot only supports customers using global Azure. Global Azure does not include the three entities listed below:<br>- Azure Germany <br>- Azure China 21Vianet<br>- Azure Government<br>So, if a customer is set up in global Azure, there are no region restrictions. For example, if Contoso uses global Azure but has employees working in China, the Contoso employees working in China would be able to use Autopilot to deploy devices. If Contoso uses Azure China 21Vianet, the Contoso employees would not be able to use Autopilot.|
## Glossary
@ -156,8 +156,8 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e
| OEM | Original Equipment Manufacturer |
| CSP | Cloud Solution Provider |
| MSfB | Microsoft Store for Business |
| AAD | Azure Active Directory |
| 4K HH | 4K Hardware Hash |
| Azure AD | Azure Active Directory |
| 4K HH | 4K hardware hash |
| CBR | Computer Build Report |
| EC | Enterprise Commerce |
| DDS | Device Directory Service |

6
windows/security/docfx.json
View File

@ -48,7 +48,11 @@
},
"titleSuffix": "Microsoft 365 Security"
},
"fileMetadata": {},
"fileMetadata": {
"titleSuffix":{
"threat-protection/**/*.md": "Windows security"
}
},
"template": [],
"dest": "security",
"markdownEngineName": "markdig"

8
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
View File

@ -47,10 +47,10 @@ Table and column names are also listed within the Microsoft Defender Security Ce
| **[LogonEvents](advanced-hunting-logonevents-table.md)** | Sign-ins and other authentication events |
| **[ImageLoadEvents](advanced-hunting-imageloadevents-table.md)** | DLL loading events |
| **[MiscEvents](advanced-hunting-miscevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
| **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-tvm-softwareinventory-table.md)** | Vulnerabilities in your software inventory |
| **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-tvm-softwarevulnerability-table.md)** | Publicly-available vulnerabilities and whether they exist in your software inventory |
| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-tvm-configassessment-table.md)** | Security configuration assessment information |
| **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-tvm-secureconfigkb-table.md)** | Basis of security configuration assessment such as security industry standards and benchmarks |
| **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-tvm-softwareinventory-table.md)** | Inventory of software on devices as well as any known vulnerabilities in these software products |
| **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-tvm-softwarevulnerability-table.md)** | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available |
| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-tvm-configassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices |
| **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-tvm-secureconfigkb-table.md)** | Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)

8
windows/security/threat-protection/microsoft-defender-atp/preview.md
View File

@ -44,13 +44,13 @@ The following features are included in the preview release:
- [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) <BR>Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019.
- [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy) <BR> You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).
- [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy) <BR>Report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).
- [Threat & Vulnerability Management Advanced Hunting Schemas](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table) <BR> You can now use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase.
- [Threat & Vulnerability Management Advanced Hunting Schemas](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference) <BR>Use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase.
- [Threat & Vulnerability Management role-based access controls](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) <BR> You can now use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions.
- [Threat & Vulnerability Management role-based access controls](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) <BR>Use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions.
- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) <BR> You can now see a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) <BR>See a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
- [Machine health and compliance report](machine-reports.md) The machine health and compliance report provides high-level information about the devices in your organization.

97
windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
View File

@ -1,5 +1,5 @@
---
title: Configure always-on real-time Windows Defender Antivirus protection
title: Enable and configure Windows Defender Antivirus protection capabilities
description: Enable and configure Windows Defender Antivirus real-time protection features such as behavior monitoring, heuristics, and machine-learning
keywords: antivirus, real-time protection, rtp, machine-learning, behavior monitoring, heuristics
search.product: eADQiWindows 10XVcnh
@ -11,13 +11,13 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 11/13/2018
ms.date: 12/13/2019
ms.reviewer:
manager: dansimp
ms.custom: nextgen
---
# Enable and configure antivirus always-on protection and monitoring
# Enable and configure Windows Defender Antivirus always-on protection in Group Policy
**Applies to:**
@ -25,50 +25,83 @@ ms.custom: nextgen
Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities.
These activities include events such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as auto-start extensibility points, or ASEPs), and other changes to the file system or file structure.
These activities include events, such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as auto-start extensibility points, or ASEPs), and other changes to the file system or file structure.
## Configure and enable always-on protection
## Enable and configure always-on protection in Group Policy
You can configure how always-on protection works with the Group Policy settings described in this section.
You can use **Local Group Policy Editor** to enable and configure Windows Defender Antivirus always-on protection settings.
To configure these settings:
To enable and configure always-on protection:
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. Open **Local Group Policy Editor**. To do this:
1. In your Windows 10 taskbar search box, type **gpedit**.
2. Under **Best match**, click **Edit group policy** to launch **Local Group Policy Editor**.
![GPEdit taskbar search result](images/gpedit-search.png)
2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus**.
![Windows Defender Antivirus](images/gpedit-windows-defender-antivirus.png)
3. Configure the Windows Defender Antivirus antimalware service policy settings. To do this:
1. In the **Windows Defender Antivirus** details pane on right, double-click the policy setting as specified in the following table:
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
| Setting | Description | Default setting |
|-----------------------------|------------------------|-------------------------------|
| Allow antimalware service to startup with normal priority | You can lower the priority of the Windows Defender Antivirus engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled
| Allow antimalware service to remain running always | If protection updates have been disabled, you can set Windows Defender Antivirus to still run. This lowers the protection on the endpoint. | Disabled |
3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
2. Configure the setting as appropriate, and click **OK**.
3. Repeat the previous steps for each setting in the table.
4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK** and repeat for any other settings.
4. Configure the Windows Defender Antivirus real-time protection policy settings. To do this:
1. In the **Windows Defender Antivirus** details pane, double-click **Real-time Protection**. Or, from the **Windows Defender Antivirus** tree on left pane, click **Real-time Protection**.
![Windows Defender Antivirus Real-time Protection options](images/gpedit-real-time-protection.png)
2. In the **Real-time Protection** details pane on right, double-click the policy setting as specified in the following table:
Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Real-time protection | Monitor file and program activity on your computer | The Windows Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run) | Enabled
Real-time protection | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition Windows Defender SmartScreen, which scans files before and during downloading | Enabled
Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the Windows Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have temporarily disabled real-time protection and want to automatically scan processes that started while it was disabled | Enabled
Real-time protection | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity | Enabled
Real-time protection | Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring | Enabled
Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes | Enabled
Real-time protection | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Note that fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. | Enabled (both directions)
Scan | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the Windows Defender Antivirus engine is asked to detect the activity | Enabled
Root | Allow antimalware service to startup with normal priority | You can lower the priority of the Windows Defender Antivirus engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled
Root | Allow antimalware service to remain running always | If protection updates have been disabled, you can set Windows Defender Antivirus to still run. This lowers the protection on the endpoint. | Disabled
| Setting | Description | Default setting |
|-----------------------------|------------------------|-------------------------------|
| Monitor file and program activity on your computer | The Windows Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run). | Enabled |
| Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to the Windows Defender SmartScreen filter, which scans files before and during downloading. | Enabled |
| Turn on process scanning whenever real-time protection is enabled | You can independently enable the Microsoft Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have temporarily disabled real-time protection and want to automatically scan processes that started while it was disabled. | Enabled |
| Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity. | Enabled |
| Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring. | Enabled |
| Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes. | Enabled |
| Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. | Enabled (both directions) |
## Disable real-time protection
3. Configure the setting as appropriate, and click **OK**.
4. Repeat the previous steps for each setting in the table.
5. Configure the Windows Defender Antivirus scanning policy setting. To do this:
1. From the **Windows Defender Antivirus** tree on left pane, click **Scan**.
![Windows Defender Antivirus Scan options](images/gpedit-windows-defender-antivirus-scan.png)
2. In the **Scan** details pane on right, double-click the policy setting as specified in the following table:
| Setting | Description | Default setting |
|-----------------------------|------------------------|-------------------------------|
| Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the Windows Defender Antivirus engine is asked to detect the activity. | Enabled |
3. Configure the setting as appropriate, and click **OK**.
6. Close **Local Group Policy Editor**.
## Disable real-time protection in Group Policy
> [!WARNING]
> Disabling real-time protection will drastically reduce the protection on your endpoints and is not recommended.
> Disabling real-time protection drastically reduces the protection on your endpoints and is not recommended.
The main real-time protection capability is enabled by default, but you can disable it with Group Policy:
The main real-time protection capability is enabled by default, but you can disable it by using **Local Group Policy Editor**.
### Use Group Policy to disable real-time protection
To disable real-time protection in Group policy:
1. Open **Local Group Policy Editor**.
1. In your Windows 10 taskbar search box, type **gpedit**.
2. Under **Best match**, click **Edit group policy** to launch **Local Group Policy Editor**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Real-time Protection**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
3. In the **Real-time Protection** details pane on right, double-click **Turn off real-time protection**.
![Turn off real-time protection](images/gpedit-turn-off-real-time-protection.png)
3. Expand the tree to **Windows components > Windows Defender Antivirus > Real-time protection**.
4. Double-click the **Turn off real-time protection** setting and set the option to **Enabled**. Click **OK**.
4. In the **Turn off real-time protection** setting window, set the option to **Enabled**.
![Turn off real-time protection enabled](images/gpedit-turn-off-real-time-protection-enabled.png)
5. Click **OK**.
6. Close **Local Group Policy Editor**.
## Related articles

BIN
windows/security/threat-protection/windows-defender-antivirus/images/gpedit-administrative-templates.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 140 KiB

BIN
windows/security/threat-protection/windows-defender-antivirus/images/gpedit-real-time-protection.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 210 KiB

BIN
windows/security/threat-protection/windows-defender-antivirus/images/gpedit-search.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

BIN
windows/security/threat-protection/windows-defender-antivirus/images/gpedit-turn-off-real-time-protection-enabled.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 124 KiB

BIN
windows/security/threat-protection/windows-defender-antivirus/images/gpedit-turn-off-real-time-protection.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 225 KiB

BIN
windows/security/threat-protection/windows-defender-antivirus/images/gpedit-windows-defender-antivirus-scan.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 218 KiB

BIN
windows/security/threat-protection/windows-defender-antivirus/images/gpedit-windows-defender-antivirus.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 290 KiB

3
windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
View File

@ -27,6 +27,9 @@ Beginning with the Windows 10 November 2019 update (build 18363), Microsoft Intu
With Intune, IT Pros can now configure their managed S mode devices using a Windows Defender Application Control (WDAC) supplemental policy that expands the S mode base policy to authorize the apps their business uses. This feature changes the S mode security posture from “every app is Microsoft-verified" to “every app is verified by Microsoft or your organization”.
Refer to the below video for an overview and brief demo.
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4mlcp]
## Policy Authorization Process
![Policy Authorization](images/wdac-intune-policy-authorization.png)
The general steps for expanding the S mode base policy on your devices are to generate a supplemental policy, sign that policy, and then upload the signed policy to Intune and assign it to user or device groups.