From d20a9e1a8b09b6d9e1537714b2b393c087c58724 Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Mon, 16 Mar 2020 14:10:28 -0700 Subject: [PATCH 1/8] Delete duplicate sign policies page --- .../signing-policies-with-signtool.md | 91 ------------------- 1 file changed, 91 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md diff --git a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md b/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md deleted file mode 100644 index 4d6bb94c8f..0000000000 --- a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md +++ /dev/null @@ -1,91 +0,0 @@ ---- -title: Signing Windows Defender Application Control policies with SignTool.exe (Windows 10) -description: SSigned WDAC policies give organizations the highest level of malware protection available in Windows 10. -keywords: whitelisting, security, malware -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -audience: ITPro -ms.collection: M365-security-compliance -author: jsuther1974 -ms.reviewer: isbrahm -ms.author: dansimp -manager: dansimp -ms.date: 02/21/2018 ---- - -# Signing Windows Defender Application Control policies with SignTool.exe - -**Applies to:** - -- Windows 10 -- Windows Server 2016 - -Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. -In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. -These policies are designed to prevent administrative tampering and kernel mode exploit access. -With this in mind, it is much more difficult to remove signed WDAC policies. -Before you sign and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run. - -Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. -If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA. - -Before signing WDAC policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9` even if you're not sure whether the option is already enabled—if so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md). - -To sign a WDAC policy with SignTool.exe, you need the following components: - -- SignTool.exe, found in the Windows SDK (Windows 7 or later) - -- The binary format of the WDAC policy that you generated in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section or another WDAC policy that you have created - -- An internal CA code signing certificate or a purchased code signing certificate - -If you do not have a code signing certificate, see the [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) section for instructions on how to create one. If you use an alternate certificate or WDAC policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session: - -1. Initialize the variables that will be used: - - `$CIPolicyPath=$env:userprofile+"\Desktop\"` - - `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"` - - `$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"` - - > [!NOTE] - > This example uses the WDAC policy that you created in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md). If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information. - -2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). - -3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later. - -4. Navigate to your desktop as the working directory: - - `cd $env:USERPROFILE\Desktop` - -5. Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule) to add an update signer certificate to the WDAC policy: - - `Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update` - - > [!NOTE] - > \ should be the full path to the certificate that you exported in step 3. - Also, adding update signers is crucial to being able to modify or disable this policy in the future. - -6. Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option: - - `Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete` - -7. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format: - - `ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin` - -8. Sign the WDAC policy by using SignTool.exe: - - ` sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin` - - > [!NOTE] - > The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy. - -9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md). - From 513dd02925dda0952c9130cdaf396ef1472f9443 Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Mon, 16 Mar 2020 14:15:39 -0700 Subject: [PATCH 2/8] Add redirect link for Signing WDAC policies page --- .openpublishing.redirection.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index a4dfbd0f88..d109fd20f0 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,6 +1,11 @@ { "redirections": [ { +"source_path": "security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering", +"redirect_document_id": true +}, +{ "source_path": "devices/hololens/hololens-whats-new.md", "redirect_url": "https://docs.microsoft.com/hololens/hololens-release-notes", "redirect_document_id": true From 8810c907000713b357667133ef0951ad81ae5560 Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Mon, 16 Mar 2020 14:26:42 -0700 Subject: [PATCH 3/8] Add SecureBoot requirement info to signed policies docs --- ...indows-defender-application-control-against-tampering.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index edbac5d2b9..7386316a87 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -28,10 +28,8 @@ ms.date: 05/03/2018 - Windows Server 2016 -Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. -In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. -These policies are designed to prevent administrative tampering and kernel mode exploit access. -With this in mind, it is much more difficult to remove signed WDAC policies. +Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed WDAC policies. Note that SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies. + Before you sign and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run. Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. From da766c37ef8c251862a05106e289fea60f506059 Mon Sep 17 00:00:00 2001 From: Bella Brahm Date: Tue, 17 Mar 2020 10:03:42 -0700 Subject: [PATCH 4/8] Remove dup signing page, add operational guide Updating TOC to remove "Signing WDAC policies with SignTool.exe" page, as it is a duplicate of "Use signed policies to protect Windows Defender Application Control against tampering" Additionally, adding an operational guide section to follow design and deployment guides. --- .../TOC.md | 11 ++--- ...r-application-control-operational-guide.md | 41 +++++++++++++++++++ 2 files changed, 47 insertions(+), 5 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index 7275492629..364e2c3baf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -21,23 +21,24 @@ ### [Audit WDAC policies](audit-windows-defender-application-control-policies.md) ### [Merge WDAC policies](merge-windows-defender-application-control-policies.md) ### [Enforce WDAC policies](enforce-windows-defender-application-control-policies.md) -### [Allow COM object registration](allow-com-object-registration-in-windows-defender-application-control-policy.md) ### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md) ### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md) +### [Allow COM object registration](allow-com-object-registration-in-windows-defender-application-control-policy.md) ### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md) -### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) +### [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md) +### [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) ### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) #### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) #### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) #### [Deploy catalog files to support WDAC](deploy-catalog-files-to-support-windows-defender-application-control.md) -### [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md) -### [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) ### [Use signed policies to protect Windows Defender Application Control against tampering](use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md) -#### [Signing WDAC policies with SignTool.exe](signing-policies-with-signtool.md) ### [Disable WDAC policies](disable-windows-defender-application-control-policies.md) ### [LOB Win32 Apps on S Mode](LOB-win32-apps-on-s.md) +## [Windows Defender Application Control operational guide](windows-defender-application-control-operational-guide.md) +### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) + ## [AppLocker](applocker\applocker-overview.md) ### [Administer AppLocker](applocker\administer-applocker.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md new file mode 100644 index 0000000000..8e14e7cb0d --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md @@ -0,0 +1,41 @@ +--- +title: Managing and troubleshooting Windows Defender Application Control policies (Windows 10) +description: Gather information about how your deployed Windows Defender Application Control policies are behaving. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp +ms.date: 03/16/2020 +--- + +# Windows Defender Application Control operational guide + +**Applies to** +- Windows 10 +- Windows Server 2016 + +After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender Advanted Threat Protection (MDATP) Advanced Hunting feature. + +## WDAC Events Overview + +WDAC generates and logs events when a policy is loaded as well as when a binary attempts to execute and is blocked. These events include information that identifies the policy and gives more details about the block. Generally, WDAC does not generate events when a binary is allowed; however, there is the option to enable allow events when Managed Installer and/or the Intelligent Security Graph (ISG) is configured. + +WDAC events are generated under two locations: + +1. Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational +2. Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script + +## In this section + +| Topic | Description | +| - | - | +| [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) | This topic covers how to view WDAC events centrally from all systems that are connected to Microsoft Defender ATP. | From 5f26d35c1e4863bfab57c196c6be03170fa85ecc Mon Sep 17 00:00:00 2001 From: Bella Brahm Date: Tue, 17 Mar 2020 11:33:50 -0700 Subject: [PATCH 5/8] Add Event IDs docs page WDAC event descriptions are not documented currently --- .../event-id-explanations.md | 80 +++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md new file mode 100644 index 0000000000..182c28dedc --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -0,0 +1,80 @@ +--- +title: Understanding Application Control events (Windows 10) +description: Learn what different Windows Defender Application Control events signify. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp +ms.date: 3/17/2020 +--- + +# Understanding Application Control events + +A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations: + +1. Event IDs beginning with 30 appear in Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational +2. Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script + +## Microsoft Windows CodeIntegrity Operational log event IDs + +| Event ID | Explanation | +|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 3076 | Audit executable/dll file | +| 3077 | Block executable/dll file | +| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is.
Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the “System” portion of the event data under “Correlation ActivityID”. | +| 3099 | Indicates that a policy has been loaded | + +## Microsoft Windows Applocker MSI and Script log event IDs + +| Event ID | Explanation | +|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. | +| 8029 | Block script/MSI file | +| 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the “System” portion of the event data under “Correlation ActivityID”. | | + +## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events + +If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information. + +| Event ID | Explanation | +|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 3090 | Allow executable/dll file | +| 3091 | Audit executable/dll file | +| 3092 | Block executable/dll file | + +3090, 3091, and 3092 events are generated based on the status code of whether a binary passed the policy, regardless of what reputation it was given or whether it was allowed by a designated MI. The SmartLocker template which appears in the event should indicate why the binary passed/failed. Only one event is generated per binary pass/fail. If both ISG and MI are disabled, 3090, 3091, and 3092 events will not be generated. + +### SmartLocker template + +Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates. + +| Name | Explanation | +|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. | +| ManagedInstallerEnabled | Policy trusts a MI | +| PassesManagedInstaller | File originated from a trusted MI | +| SmartlockerEnabled | Policy trusts the ISG | +| PassesSmartlocker | File had positive reputation | +| AuditEnabled | True if the policy is in audit mode, otherwise it is in enforce mode | + +### Enabling ISG and MI diagnostic events + +In order to enable 3091 audit events and 3092 block events, you must create a TestFlags regkey with a value of 0x100. You can do so using the following PowerShell command: + + ```powershell + reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100 + ``` +In order to enable 3090 allow events, you must create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command: + + ```powershell + reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300 + ``` From 68020943aab4d60774e643b3836f71f89a938501 Mon Sep 17 00:00:00 2001 From: Bella Brahm Date: Tue, 17 Mar 2020 11:39:41 -0700 Subject: [PATCH 6/8] Minor changes to TOC for event explanations page --- .../windows-defender-application-control/TOC.md | 2 +- .../windows-defender-application-control-operational-guide.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index 364e2c3baf..5ade5917e6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -37,9 +37,9 @@ ## [Windows Defender Application Control operational guide](windows-defender-application-control-operational-guide.md) +### [Understanding Application Control events](event-id-explanations.md) ### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) - ## [AppLocker](applocker\applocker-overview.md) ### [Administer AppLocker](applocker\administer-applocker.md) #### [Maintain AppLocker policies](applocker\maintain-applocker-policies.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md index 8e14e7cb0d..a34e52ab58 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md @@ -38,4 +38,5 @@ WDAC events are generated under two locations: | Topic | Description | | - | - | +| [Understanding Application Control events](event-id-explanations.md) | This topic explains the meaning of different WDAC events. | | [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) | This topic covers how to view WDAC events centrally from all systems that are connected to Microsoft Defender ATP. | From 004f72b34fe3d03b765383432a876c5b47b5ede1 Mon Sep 17 00:00:00 2001 From: John Kaiser <35939694+CoveMiner@users.noreply.github.com> Date: Tue, 17 Mar 2020 11:40:29 -0700 Subject: [PATCH 7/8] Adds contact support link to troubleshooting pages --- .../surface-hub/device-reset-surface-hub.md | 8 ++++- .../surface-hub/miracast-troubleshooting.md | 13 +++++---- .../surface-hub-2s-recover-reset.md | 4 +++ .../surface-hub/troubleshoot-surface-hub.md | 29 ++++++++++--------- 4 files changed, 35 insertions(+), 19 deletions(-) diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md index 6d7d33415f..dc0045817a 100644 --- a/devices/surface-hub/device-reset-surface-hub.md +++ b/devices/surface-hub/device-reset-surface-hub.md @@ -90,7 +90,7 @@ On rare occasions, a Surface Hub may encounter an error while cleaning up user a 1. Use the power switch to turn the Surface Hub back on. The device starts and displays the Surface Hub Logo screen. When you see spinning dots under the Surface Hub Logo, use the power switch to turn the Surface Hub off again. -1. Repeat step 3 three times, or until the Surface Hub displays the “Preparing Automatic Repair” message. After it displays this message, the Surface Hub displays the Windows RE screen. +1. Repeat step 3 three times, or until the Surface Hub displays the "Preparing Automatic Repair" message. After it displays this message, the Surface Hub displays the Windows RE screen. 1. Select **Advanced Options**. @@ -115,6 +115,12 @@ On rare occasions, a Surface Hub may encounter an error while cleaning up user a ![downloading 97&](images/recover-progress.png) When the download finishes, the recovery process restores the Surface Hub according to the options that you selected. + + +## Contact Support + +If you have questions or need help, you can [create a support request](https://support.microsoft.com/en-us/supportforbusiness/productselection). + ## Related topics diff --git a/devices/surface-hub/miracast-troubleshooting.md b/devices/surface-hub/miracast-troubleshooting.md index 9517857676..40ccbb5804 100644 --- a/devices/surface-hub/miracast-troubleshooting.md +++ b/devices/surface-hub/miracast-troubleshooting.md @@ -21,13 +21,13 @@ In traditional Miracast, the projecting device will connect the access point set - The first step is an initial connection using 2.4GHz. - After that initial handshake, the projecting device sends traffic to the monitor using the wireless channel settings on the monitor. If Surface Hub is connected to a Wi-Fi network, the access point, it will use the same channel as the connected network, otherwise it will use the Miracast channel from Settings. -There are generally two types of issues with Miracast to Surface Hub: [connection](#connect-issues) and [performance](#performance-issues). In either case, it is a good idea to get a general picture of wireless network activity in the Surface Hub’s location. Running a network scanning tool will show you the available networks and channel usage in the environment. +There are generally two types of issues with Miracast to Surface Hub: [connection](#connect-issues) and [performance](#performance-issues). In either case, it is a good idea to get a general picture of wireless network activity in the Surface Hub's location. Running a network scanning tool will show you the available networks and channel usage in the environment. ## Connect issues Ensure both Wi-Fi and Miracast are both enabled in Settings on Surface Hub. -If you ran a network scan, you should see Surface Hub Miracast listed as an access point. If Surface Hub’s Miracast network shows up on the scan, but you cannot not see it as an available device, you can try to adjust the Miracast channel used by Surface Hub. +If you ran a network scan, you should see Surface Hub Miracast listed as an access point. If Surface Hub's Miracast network shows up on the scan, but you cannot not see it as an available device, you can try to adjust the Miracast channel used by Surface Hub. When Surface Hub is connected to a Wi-Fi network it will use the same channel settings as the Wi-Fi access point for its Miracast access point. For troubleshooting purposes, disconnect Surface Hub from any Wi-Fi networks (but keep Wi-Fi enabled), so you can control the channel used for Miracast. You can manually select the Miracast channel in Settings. You will need to restart Surface Hub after each change. Generally speaking, you will want to use channels that do not show heavy utilization from the network scan. @@ -42,7 +42,7 @@ It is also a good idea to ensure the latest drivers and updates are installed on Next, ensure Miracast is supported on the device. 1. Press Windows Key + R and type `dxdiag`. -2. Click “Save all information”. +2. Click "Save all information". 3. Open the saved dxdiag.txt and find **Miracast**. It should say **Available, with HDCP**. ### Check firewall @@ -63,7 +63,7 @@ On domain-joined devices, Group Policy can also block Miracast. ### Check event logs -The last place to check is in the Event logs. Miracast events will be logged to **Wlanautoconfig**. This is true on both Surface Hub and the projecting device. If you export Surface Hub logs, you can view Surface Hub’s Wlanautoconfig in the **WindowsEventLog** folder. Errors in the event log can provide some additional details on where the connection fails. +The last place to check is in the Event logs. Miracast events will be logged to **Wlanautoconfig**. This is true on both Surface Hub and the projecting device. If you export Surface Hub logs, you can view Surface Hub's Wlanautoconfig in the **WindowsEventLog** folder. Errors in the event log can provide some additional details on where the connection fails. ## Performance issues @@ -75,7 +75,10 @@ Channel switching is caused when the Wi-Fi adapter needs to send traffic to mult If Surface Hub and the projecting device are both connected to Wi-Fi but using different access points with different channels, this will force Surface Hub and the projecting device to channel switch while Miracast is connected. This will result in both poor wireless project and poor network performance over Wi-Fi. The channel switching will affect the performance of all wireless traffic, not just wireless projection. -Channel switching will also occur if the projecting device is connected to an Wi-Fi network using a different channel than the channel that Surface Hub uses for Miracast. So, a best practice is to set Surface Hub’s Miracast channel to the same channel as the most commonly used access point. +Channel switching will also occur if the projecting device is connected to an Wi-Fi network using a different channel than the channel that Surface Hub uses for Miracast. So, a best practice is to set Surface Hub's Miracast channel to the same channel as the most commonly used access point. If there are multiple Wi-Fi networks or access points in the environment, some channel switching is unavoidable. This is best addressed by ensuring all Wi-Fi drivers are up to date. +## Contact Support + +If you have questions or need help, you can [create a support request](https://support.microsoft.com/en-us/supportforbusiness/productselection). diff --git a/devices/surface-hub/surface-hub-2s-recover-reset.md b/devices/surface-hub/surface-hub-2s-recover-reset.md index 1f0e98f92b..6c9fb942af 100644 --- a/devices/surface-hub/surface-hub-2s-recover-reset.md +++ b/devices/surface-hub/surface-hub-2s-recover-reset.md @@ -69,3 +69,7 @@ At the end of a session, Surface Hub 2S may occasionally encounter an error duri > [!NOTE] > To enter recovery mode, unplug the power cord and plug it in again three times. + +## Contact Support + +If you have questions or need help, you can [create a support request](https://support.microsoft.com/en-us/supportforbusiness/productselection). diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md index af6809a477..2b0397fb04 100644 --- a/devices/surface-hub/troubleshoot-surface-hub.md +++ b/devices/surface-hub/troubleshoot-surface-hub.md @@ -456,15 +456,15 @@ This section lists status codes, mapping, user messages, and actions an admin ca

0x80072EFD

WININET_E_CANNOT_CONNECT

-

Can’t connect to the server right now. Wait a while and try again, or check the account settings.

+

Can't connect to the server right now. Wait a while and try again, or check the account settings.

Verify that the server name is correct and reachable. Verify that the device is connected to the network.

0x86000C29

-

E_NEXUS_STATUS_DEVICE_NOTPROVISIONED (policies don’t match)

+

E_NEXUS_STATUS_DEVICE_NOTPROVISIONED (policies don't match)

The account is configured with policies not compatible with Surface Hub.

Disable the PasswordEnabled policy for this account.

-

We have a bug were we may surface policy errors if the account doesn’t receive any server notifications within the policy refresh interval.

+

We have a bug were we may surface policy errors if the account doesn't receive any server notifications within the policy refresh interval.

0x86000C4C

@@ -475,7 +475,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca

0x86000C0A

E_NEXUS_STATUS_SERVERERROR_RETRYLATER

-

Can’t connect to the server right now.

+

Can't connect to the server right now.

Wait until the server comes back online. If the issue persists, re-provision the account.

@@ -487,7 +487,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca

0x8505000D

E_AIRSYNC_RESET_RETRY

-

Can’t connect to the server right now. Wait a while or check the account’s settings.

+

Can't connect to the server right now. Wait a while or check the account's settings.

This is normally a transient error but if the issue persists check the number of devices associated with the account and delete some of them if the number is large.

@@ -499,13 +499,13 @@ This section lists status codes, mapping, user messages, and actions an admin ca

0x85010004

E_HTTP_FORBIDDEN

-

Can’t connect to the server right now. Wait a while and try again, or check the account’s settings.

+

Can't connect to the server right now. Wait a while and try again, or check the account's settings.

Verify the server name to make sure it is correct. If the account is using cert based authentication make sure the certificate is still valid and update it if not.

0x85030028

E_ACTIVESYNC_PASSWORD_OR_GETCERT

-

The account’s password or client certificate are missing or invalid.

+

The account's password or client certificate are missing or invalid.

Update the password and/or deploy the client certificate.

@@ -523,7 +523,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca

0x80072EE2

WININET_E_TIMEOUT

-

The network doesn’t support the minimum idle timeout required to receive server notification, or the server is offline.

+

The network doesn't support the minimum idle timeout required to receive server notification, or the server is offline.

Verify that the server is running. Verify the NAT settings.

@@ -535,13 +535,13 @@ This section lists status codes, mapping, user messages, and actions an admin ca

0x85010017

E_HTTP_SERVICE_UNAVAIL

-

Can’t connect to the server right now. Wait a while or check the account’s settings.

+

Can't connect to the server right now. Wait a while or check the account's settings.

Verify the server name to make sure it is correct. Wait until the server comes back online. If the issue persists, re-provision the account.

0x86000C0D

E_NEXUS_STATUS_MAILBOX_SERVEROFFLINE

-

Can’t connect to the server right now. Wait a while or check the account’s settings.

+

Can't connect to the server right now. Wait a while or check the account's settings.

Verify the server name to make sure it is correct. Wait until the server comes back online. If the issue persists, re-provision the account.

@@ -555,7 +555,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca

E_NEXUS_STATUS_INVALID_POLICYKEY

The account is configured with policies not compatible with Surface Hub.

Disable the PasswordEnabled policy for this account.

-

We have a bug were we may surface policy errors if the account doesn’t receive any server notifications within the policy refresh interval.

+

We have a bug were we may surface policy errors if the account doesn't receive any server notifications within the policy refresh interval.

0x85010005

@@ -566,7 +566,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca

0x85010014

E_HTTP_SERVER_ERROR

-

Can’t connect to the server.

+

Can't connect to the server.

Verify the server name to make sure it is correct. Trigger a sync and, if the issue persists, re-provision the account.

@@ -602,7 +602,10 @@ This section lists status codes, mapping, user messages, and actions an admin ca -  +## Contact Support + +If you have questions or need help, you can [create a support request](https://support.microsoft.com/en-us/supportforbusiness/productselection). +   ## Related content From 982edee905d36eb4efacc0236a9db43f0723b6ac Mon Sep 17 00:00:00 2001 From: John Kaiser <35939694+CoveMiner@users.noreply.github.com> Date: Tue, 17 Mar 2020 13:39:53 -0700 Subject: [PATCH 8/8] Removal of locale in link URLs --- devices/surface-hub/device-reset-surface-hub.md | 2 +- devices/surface-hub/miracast-troubleshooting.md | 2 +- devices/surface-hub/surface-hub-2s-recover-reset.md | 2 +- devices/surface-hub/troubleshoot-surface-hub.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md index dc0045817a..d8d0269900 100644 --- a/devices/surface-hub/device-reset-surface-hub.md +++ b/devices/surface-hub/device-reset-surface-hub.md @@ -119,7 +119,7 @@ On rare occasions, a Surface Hub may encounter an error while cleaning up user a ## Contact Support -If you have questions or need help, you can [create a support request](https://support.microsoft.com/en-us/supportforbusiness/productselection). +If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection). ## Related topics diff --git a/devices/surface-hub/miracast-troubleshooting.md b/devices/surface-hub/miracast-troubleshooting.md index 40ccbb5804..eb33f483d6 100644 --- a/devices/surface-hub/miracast-troubleshooting.md +++ b/devices/surface-hub/miracast-troubleshooting.md @@ -81,4 +81,4 @@ If there are multiple Wi-Fi networks or access points in the environment, some c ## Contact Support -If you have questions or need help, you can [create a support request](https://support.microsoft.com/en-us/supportforbusiness/productselection). +If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection). diff --git a/devices/surface-hub/surface-hub-2s-recover-reset.md b/devices/surface-hub/surface-hub-2s-recover-reset.md index 6c9fb942af..7493e10c3c 100644 --- a/devices/surface-hub/surface-hub-2s-recover-reset.md +++ b/devices/surface-hub/surface-hub-2s-recover-reset.md @@ -72,4 +72,4 @@ At the end of a session, Surface Hub 2S may occasionally encounter an error duri ## Contact Support -If you have questions or need help, you can [create a support request](https://support.microsoft.com/en-us/supportforbusiness/productselection). +If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection). diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md index 2b0397fb04..cf02da1a6e 100644 --- a/devices/surface-hub/troubleshoot-surface-hub.md +++ b/devices/surface-hub/troubleshoot-surface-hub.md @@ -604,7 +604,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca ## Contact Support -If you have questions or need help, you can [create a support request](https://support.microsoft.com/en-us/supportforbusiness/productselection). +If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection).