deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 05:43:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merged PR 13098: 11/30 AM Publish

Browse Source
This commit is contained in:
Huaping Yu (Beyondsoft Consulting Inc)
2018-11-30 18:29:18 +00:00
parent 07df420c7d d5be1076cb
commit 47a3e5b178
16 changed files with 379 additions and 176 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
devices/surface/surface-diagnostic-toolkit-business.md
View File

@ -32,8 +32,8 @@ To run SDT for Business, download the components listed in the following table.
Mode | Primary scenarios | Download | Learn more
--- | --- | --- | ---
Desktop mode | Assist users in running SDT on their Surface devices to troubleshoot issues.<br>Create a custom package to deploy on one or more Surface devices allowing users to select specific logs to collect and analyze. | SDT distributable MSI package<br>Microsoft Surface Diagnostic Toolkit for Business Installer.MSI<br>[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Use Surface Diagnostic Toolkit in desktop mode](surface-diagnostic-toolkit-desktop-mode.md)
Command line | Directly troubleshoot Surface devices remotely without user interaction, using standard tools such as Configuration Manager. It includes the following commands:<br>`-DataCollector` collects all log files<br>`-bpa` runs health diagnostics using Best Practice Analyzer.<br>`-windowsupdate` checks Windows update for missing firmware or driver updates.<br><br>**Note:** Support for the ability to confirm warranty information will be available via the command `-warranty` | SDT console app<br>Microsoft Surface Diagnostics App Console.exe<br>[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md)
Desktop mode | Assist users in running SDT on their Surface devices to troubleshoot issues.<br>Create a custom package to deploy on one or more Surface devices allowing users to select specific logs to collect and analyze. | SDT distributable MSI package:<br>Microsoft Surface Diagnostic Toolkit for Business Installer<br>[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Use Surface Diagnostic Toolkit in desktop mode](surface-diagnostic-toolkit-desktop-mode.md)
Command line | Directly troubleshoot Surface devices remotely without user interaction, using standard tools such as Configuration Manager. It includes the following commands:<br>`-DataCollector` collects all log files<br>`-bpa` runs health diagnostics using Best Practice Analyzer.<br>`-windowsupdate` checks Windows update for missing firmware or driver updates.<br><br>**Note:** Support for the ability to confirm warranty information will be available via the command `-warranty` | SDT console app:<br>Microsoft Surface Diagnostics App Console<br>[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md)
## Supported devices

9
devices/surface/surface-diagnostic-toolkit-command-line.md
View File

@ -25,13 +25,18 @@ Download and install SDT app console from the [Surface Tools for IT download pag
- Run health diagnostics using Best Practice Analyzer.
- Check update for missing firmware or driver updates.
By default, output files are saved to C:\Administrator\user. Refer to the following table for a complete list of commands.
>[!NOTE]
>In this release, the SDT app console supports single commands only. Running multiple command line options requires running the console exe separately for each command.
By default, output files are saved in the same location as the console app. Refer to the following table for a complete list of commands.
Command | Notes
--- | ---
-DataCollector "output file" | Collects system details into a zip file. "output file" is the file path to create system details zip file.<br><br>**Example**:<br>`Microsoft.Surface.Diagnostics.App.Console.exe -DataCollector SDT_DataCollection.zip`
-bpa "output file" | Checks several settings and health indicators in the device. “output file" is the file path to create the HTML report.<br><br>**Example**:<br>`Microsoft.Surface.Diagnostics.App.Console.exe -bpa BPA.html`
-windowsupdate | Checks Windows Update online servers for missing firmware and/or driver updates.<br><br>**Example**:<br>Microsoft.Surface.Diagnostics.App.Console.exe -windowsupdate
-warranty "output file" | Checks warranty information on the device (valid or invalid). The optional “output file” is the file path to create the xml file. <br><br>**Example**: <br>Microsoft.Surface.Diagnostics.App.Console.exe warranty “warranty.xml”
>[!NOTE]
>To run the SDT app console remotely on target devices, you can use a configuration management tool such as System Center Configuration Manager. Alternatively, you can create a .zip file containing the console app and appropriate console commands and deploy per your organizations software distribution processes.
@ -140,4 +145,4 @@ You can run BPA tests across key components such as BitLocker, Secure Boot, and
<tr><td><strong>Value:</strong></td><td></td></tr>
<tr><td><strong>Condition:</strong></td><td><font color="00ff00">Optimal</font></td></tr>
<tr><td><strong>Guidance:</strong></td><td>Check with the original equipment manufacturer for compatibility with your Surface device.</td></tr>
</table>
</table>

2
mdop/uev-v2/security-considerations-for-ue-v-2x-both-uevv2.md
View File

@ -43,7 +43,7 @@ Because settings packages might contain personal information, you should take ca
| User account | Recommended permissions | Folder |
| - | - | - |
| Creator/Owner | No permissions | No permissions |
| Creator/Owner | Full control | Subfolders and files only|
| Domain Admins | Full control | This folder, subfolders, and files |
| Security group of UE-V users | List folder/read data, create folders/append data | This folder only |
| Everyone | Remove all permissions | No permissions |

1
windows/client-management/TOC.md
View File

@ -17,5 +17,6 @@
### [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
### [Advanced troubleshooting Wireless Network Connectivity](advanced-troubleshooting-wireless-network-connectivity.md)
### [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md)
### [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md)
## [Mobile device management for solution providers](mdm/index.md)
## [Change history for Client management](change-history-for-client-management.md)

3
windows/client-management/change-history-for-client-management.md
View File

@ -9,7 +9,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: jdeckerMS
ms.author: jdecker
ms.date: 09/12/2017
ms.date: 11/30/2018
---
# Change history for Client management
@ -21,6 +21,7 @@ This topic lists new and updated topics in the [Client management](index.md) doc
New or changed topic | Description
--- | ---
[Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md) | New
[Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md) | New
## RELEASE: Windows 10, version 1709

308
windows/client-management/data-collection-for-802-authentication.md
View File

@ -25,19 +25,19 @@ Use the following steps to collect wireless and wired logs on Windows and Window
```
netsh ras set tracing * enabled
netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl
netsh trace start scenario=wlan,wlan_wpp,wlan_dbg,wireless_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl
```
**Wireless Windows 7 and Windows 8:**
```
netsh ras set tracing * enabled
netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl
netsh trace start scenario=wlan,wlan_wpp,wlan_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl
```
**Wired client, regardless of version**
```
netsh ras set tracing * enabled
netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_cli.etl
netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_cli.etl
```
3. Run the following command to enable CAPI2 logging:
@ -54,21 +54,21 @@ Use the following steps to collect wireless and wired logs on Windows and Window
```
netsh ras set tracing * enabled
netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl
netsh trace start scenario=wlan,wlan_wpp,wlan_dbg,wireless_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl
```
**Windows Server 2008 R2, Windows Server 2012 wireless network**
```
netsh ras set tracing * enabled
netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl
netsh trace start scenario=wlan,wlan_wpp,wlan_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl
```
**Wired network**
```
netsh ras set tracing * enabled
netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_nps.etl
netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_nps.etl
```
6. Run the following command to enable CAPI2 logging:
@ -82,7 +82,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window
> When the mouse button is clicked, the cursor will blink in red while capturing a screen image.
```
psr /start /output c:\MSLOG\%computername%\_psr.zip /maxsc 100
psr /start /output c:\MSLOG\%computername%_psr.zip /maxsc 100
```
8. Repro the issue.
9. Run the following command on the client PC to stop the PSR capturing:
@ -103,7 +103,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window
```
wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false
wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx
wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx
```
11. Run the following commands on the client PC.
@ -116,14 +116,14 @@ Use the following steps to collect wireless and wired logs on Windows and Window
- To disable and copy the CAPI2 log:
```
wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false
wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx
wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx
```
12. Save the following logs on the client and the NPS:
**Client**
- C:\MSLOG\%computername%_psr.zip
- C:\MSLOG\CAPI2_%COMPUTERNAME%.evtx
- C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx
- C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl
- C:\MSLOG\%COMPUTERNAME%_wireless_cli.cab
- All log files and folders in %Systemroot%\Tracing
@ -144,75 +144,77 @@ Use the following steps to collect wireless and wired logs on Windows and Window
- Environmental information and Group Policies application status
```
gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.htm
msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt
ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt
route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt
gpresult /H C:\MSLOG\%COMPUTERNAME%_gpresult.htm
msinfo32 /report c:\MSLOG\%COMPUTERNAME%_msinfo32.txt
ipconfig /all > c:\MSLOG\%COMPUTERNAME%_ipconfig.txt
route print > c:\MSLOG\%COMPUTERNAME%_route_print.txt
```
- Event logs
```
wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
wevtutil epl Microsoft-Windows-GroupPolicy/Operational C:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-WLAN-AutoConfig-Operational.evtx
wevtutil epl "Microsoft-Windows-Wired-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-Wired-AutoConfig-Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx
wevtutil epl Application c:\MSLOG\%COMPUTERNAME%_Application.evtx
wevtutil epl System c:\MSLOG\%COMPUTERNAME%_System.evtx
wevtutil epl Security c:\MSLOG\%COMPUTERNAME%_Security.evtx
wevtutil epl Microsoft-Windows-GroupPolicy/Operational C:\MSLOG\%COMPUTERNAME%_GroupPolicy_Operational.evtx
wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%_Microsoft-Windows-WLAN-AutoConfig-Operational.evtx
wevtutil epl "Microsoft-Windows-Wired-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%_Microsoft-Windows-Wired-AutoConfig-Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-CredentialRoaming_Operational.evtx
wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%_CertPoleEng_Operational.evtx
```
- For Windows 8 and later, also run these commands for event logs:
```
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-System_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-User_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServices-Deployment_Operational.evtx
```
- Certificates Store information:
```
certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt
certutil -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%_cert-Personal-Registry.txt
certutil -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-Registry.txt
certutil -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-GroupPolicy.txt
certutil -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_TrustedRootCA-Enterprise.txt
certutil -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Reg.txt
certutil -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-GroupPolicy.txt
certutil -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Enterprise.txt
certutil -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-Registry.txt
certutil -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-GroupPolicy.txt
certutil -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%_cert-Intermediate-Enterprise.txt
certutil -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Registry.txt
certutil -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-GroupPolicy.txt
certutil -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Enterprise.txt
certutil -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Registry.txt
certutil -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-GroupPolicy.txt
certutil -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Enterprise.txt
certutil -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%_cert-NtAuth-Enterprise.txt
certutil -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%_cert-User-Personal-Registry.txt
certutil -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Registry.txt
certutil -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Enterprise.txt
certutil -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-Registry.txt
certutil -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-GroupPolicy.txt
certutil -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-Registry.txt
certutil -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-GroupPolicy.txt
certutil -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-Registry.txt
certutil -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-GroupPolicy.txt
certutil -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-Registry.txt
certutil -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-GroupPolicy.txt
certutil -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-Registry.txt
certutil -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-GroupPolicy.txt
certutil -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%_cert-User-UserDS.txt
```
- Wireless LAN client information:
```
netsh wlan show all > c:\MSLOG\%COMPUTERNAME%\_wlan\_show\_all.txt
netsh wlan show all > c:\MSLOG\%COMPUTERNAME%_wlan_show_all.txt
netsh wlan export profile folder=c:\MSLOG\
```
- Wired LAN Client information
```
netsh lan show all > c:\MSLOG\%COMPUTERNAME%\_lan\_show\_all.txt
netsh lan show interfaces > c:\MSLOG\%computername%_lan_interfaces.txt
netsh lan show profiles > c:\MSLOG\%computername%_lan_profiles.txt
netsh lan show settings > c:\MSLOG\%computername%_lan_settings.txt
netsh lan export profile folder=c:\MSLOG\
```
4. Save the logs stored in C:\MSLOG.
@ -225,68 +227,68 @@ Use the following steps to collect wireless and wired logs on Windows and Window
- Environmental information and Group Policies application status:
```
gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt
msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt
ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt
route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt
gpresult /H C:\MSLOG\%COMPUTERNAME%_gpresult.txt
msinfo32 /report c:\MSLOG\%COMPUTERNAME%_msinfo32.txt
ipconfig /all > c:\MSLOG\%COMPUTERNAME%_ipconfig.txt
route print > c:\MSLOG\%COMPUTERNAME%_route_print.txt
```
- Event logs:
```
wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx
wevtutil epl Application c:\MSLOG\%COMPUTERNAME%_Application.evtx
wevtutil epl System c:\MSLOG\%COMPUTERNAME%_System.evtx
wevtutil epl Security c:\MSLOG\%COMPUTERNAME%_Security.evtx
wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%_GroupPolicy_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-CredentialRoaming_Operational.evtx
wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%_CertPoleEng_Operational.evtx
```
- Run the following 3 commands on Windows Server 2012 and later:
```
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-System_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-User_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServices-Deployment_Operational.evtx
```
- Certificates store information
```
certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt
certutil -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%_cert-Personal-Registry.txt
certutil -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-Registry.txt
certutil -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-GroupPolicy.txt
certutil -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_TrustedRootCA-Enterprise.txt
certutil -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Reg.txt
certutil -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-GroupPolicy.txt
certutil -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Enterprise.txt
certutil -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-Registry.txt
certutil -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-GroupPolicy.txt
certutil -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%_cert-Intermediate-Enterprise.txt
certutil -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Registry.txt
certutil -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-GroupPolicy.txt
certutil -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Enterprise.txt
certutil -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Registry.txt
certutil -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-GroupPolicy.txt
certutil -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Enterprise.txt
certutil -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%_cert-NtAuth-Enterprise.txt
certutil -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%_cert-User-Personal-Registry.txt
certutil -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Registry.txt
certutil -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Enterprise.txt
certutil -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-Registry.txt
certutil -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-GroupPolicy.txt
certutil -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-Registry.txt
certutil -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-GroupPolicy.txt
certutil -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-Registry.txt
certutil -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-GroupPolicy.txt
certutil -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-Registry.txt
certutil -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-GroupPolicy.txt
certutil -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-Registry.txt
certutil -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-GroupPolicy.txt
certutil -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%_cert-User-UserDS.txt
```
- NPS configuration information:
```
netsh nps show config > C:\MSLOG\%COMPUTERNAME%\_nps\_show\_config.txt
netsh nps export filename=C:\MSLOG\%COMPUTERNAME%\_nps\_export.xml exportPSK=YES
netsh nps show config > C:\MSLOG\%COMPUTERNAME%_nps_show_config.txt
netsh nps export filename=C:\MSLOG\%COMPUTERNAME%_nps_export.xml exportPSK=YES
```
3. Take the following steps to save an NPS accounting log.
1. Open **Administrative tools > Network Policy Server**.
@ -304,70 +306,70 @@ Use the following steps to collect wireless and wired logs on Windows and Window
- Environmental information and Group Policies application status
```
gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt
msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt
ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt
route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt
gpresult /H C:\MSLOG\%COMPUTERNAME%_gpresult.txt
msinfo32 /report c:\MSLOG\%COMPUTERNAME%_msinfo32.txt
ipconfig /all > c:\MSLOG\%COMPUTERNAME%_ipconfig.txt
route print > c:\MSLOG\%COMPUTERNAME%_route_print.txt
```
- Event logs
```
wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx
wevtutil epl Application c:\MSLOG\%COMPUTERNAME%_Application.evtx
wevtutil epl System c:\MSLOG\%COMPUTERNAME%_System.evtx
wevtutil epl Security c:\MSLOG\%COMPUTERNAME%_Security.evtx
wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%_GroupPolicy_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-CredentialRoaming_Operational.evtx
wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%_CertPoleEng_Operational.evtx
```
- Run the following 3 lines on Windows 2012 and up
```
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-System_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-User_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServices-Deployment_Operational.evtx
```
- Certificates store information
```
certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt
certutil -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%_cert-Personal-Registry.txt
certutil -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-Registry.txt
certutil -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-GroupPolicy.txt
certutil -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_TrustedRootCA-Enterprise.txt
certutil -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Reg.txt
certutil -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-GroupPolicy.txt
certutil -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Enterprise.txt
certutil -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-Registry.txt
certutil -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-GroupPolicy.txt
certutil -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%_cert-Intermediate-Enterprise.txt
certutil -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Registry.txt
certutil -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-GroupPolicy.txt
certutil -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Enterprise.txt
certutil -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Registry.txt
certutil -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-GroupPolicy.txt
certutil -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Enterprise.txt
certutil -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%_cert-NtAuth-Enterprise.txt
certutil -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%_cert-User-Personal-Registry.txt
certutil -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Registry.txt
certutil -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Enterprise.txt
certutil -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-Registry.txt
certutil -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-GroupPolicy.txt
certutil -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-Registry.txt
certutil -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-GroupPolicy.txt
certutil -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-Registry.txt
certutil -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-GroupPolicy.txt
certutil -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-Registry.txt
certutil -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-GroupPolicy.txt
certutil -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-Registry.txt
certutil -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-GroupPolicy.txt
certutil -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%_cert-User-UserDS.txt
```
- CA configuration information
```
reg save HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.hiv
reg export HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.txt
reg save HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.hiv
reg export HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.tx
reg save HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%_CertSvc.hiv
reg export HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%_CertSvc.txt
reg save HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%_Cryptography.hiv
reg export HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%_Cryptography.tx
```
3. Copy the following files, if exist, to C:\MSLOG: %windir%\CAPolicy.inf
4. Log on to a domain controller and create C:\MSLOG to store captured logs.
@ -376,7 +378,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window
```powershell
Import-Module ActiveDirectory
Get-ADObject -SearchBase ";CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"; -Filter \* -Properties \* | fl \* > C:\MSLOG\Get-ADObject\_$Env:COMPUTERNAME.txt
Get-ADObject -SearchBase ";CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"; -Filter \* -Properties \* | fl \* > C:\MSLOG\Get-ADObject_$Env:COMPUTERNAME.txt
```
7. Save the following logs.
- All files in C:\MSLOG on the CA

20
windows/client-management/mdm/policy-csp-deviceinstallation.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 11/30/2018
ms.date: 12/01/2018
---
# Policy CSP - DeviceInstallation
@ -234,9 +234,13 @@ ADMX Info:
<!--/Validation-->
<!--/Policy-->
To enable this policy, use the following SyncML. This example allows Windows to install CD-ROM drives, floppy disks, and modems.
To enable this policy, use the following SyncML. This example allows Windows to install:
Enclose the class GUID within curly brackets {}. To configure multiple classes, use `&#xF000;` as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_Classes_Deny_Retroactive to true.
- Floppy Disks, ClassGUID = {4d36e980-e325-11ce-bfc1-08002be10318}
- CD ROMs, ClassGUID = {4d36e965-e325-11ce-bfc1-08002be10318}
- Modems, ClassGUID = {4d36e96d-e325-11ce-bfc1-08002be10318}
Enclose the class GUID within curly brackets {}. To configure multiple classes, use `&#xF000;` as a delimiter.
``` syntax
@ -251,7 +255,7 @@ Enclose the class GUID within curly brackets {}. To configure multiple classes,
<Meta>
<Format xmlns="syncml:metinf">string</Format>
</Meta>
<Data><enabled/><Data id="DeviceInstall_Classes_Allow_List" value="1&#xF000;{4d36e969-e325-11ce-bfc1-08002be10318}&#xF000;2&#xF000;{4d36e969-e325-11ce-bfc1-08002be10318}&#xF000;3&#xF000;{4d36e969-e325-11ce-bfc1-08002be10318}"/></Data>
<Data><enabled/><Data id="DeviceInstall_Classes_Allow_List" value="1&#xF000;{4d36e980-e325-11ce-bfc1-08002be10318}&#xF000;2&#xF000;{4d36e965-e325-11ce-bfc1-08002be10318}&#xF000;3&#xF000;{4d36e96d-e325-11ce-bfc1-08002be10318}"/></Data>
</Item>
</Replace>
</SyncBody>
@ -583,7 +587,11 @@ ADMX Info:
<!--/Policy-->
<hr/>
To enable this policy, use the following SyncML. This example prevents Windows from installing CD-ROM drives, floppy disks, and modems (ClassGuid= {4d36e980-e325-11ce-bfc1-08002be10318}). This policy example also applies to matching device classes that are already installed.
To enable this policy, use the following SyncML. This example prevents Windows from installing:
- Floppy Disks, ClassGUID = {4d36e980-e325-11ce-bfc1-08002be10318}
- CD ROMs, ClassGUID = {4d36e965-e325-11ce-bfc1-08002be10318}
- Modems, ClassGUID = {4d36e96d-e325-11ce-bfc1-08002be10318}
Enclose the class GUID within curly brackets {}. To configure multiple classes, use `&#xF000;` as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_Classes_Deny_Retroactive to true.
@ -600,7 +608,7 @@ Enclose the class GUID within curly brackets {}. To configure multiple classes,
<Meta>
<Format xmlns="syncml:metinf">string</Format>
</Meta>
<Data><enabled/><data id="DeviceInstall_Classes_Deny_Retroactive" value="true"/><Data id="DeviceInstall_Classes_Deny_List" value="1&#xF000;{4d36e969-e325-11ce-bfc1-08002be10318}&#xF000;2&#xF000;{4d36e969-e325-11ce-bfc1-08002be10318}&#xF000;3&#xF000;{4d36e969-e325-11ce-bfc1-08002be10318}"/></Data>
<Data><enabled/><data id="DeviceInstall_Classes_Deny_Retroactive" value="true"/><Data id="DeviceInstall_Classes_Deny_List" value="1&#xF000;{4d36e980-e325-11ce-bfc1-08002be10318}&#xF000;2&#xF000;{4d36e965-e325-11ce-bfc1-08002be10318}&#xF000;3&#xF000;{4d36e96d-e325-11ce-bfc1-08002be10318}"/></Data>
</Item>
</Replace>
</SyncBody>

172
windows/client-management/troubleshoot-stop-errors.md Normal file
View File

@ -0,0 +1,172 @@
---
title: Advanced troubleshooting for Stop error or blue screen error issue
description: Learn how to troubleshoot Stop error or blue screen issues.
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
ms.topic: troubleshooting
author: kaushika-msft
ms.localizationpriority: medium
ms.author: kaushika
ms.date: 11/30/2018
---
# Advanced troubleshooting for Stop error or blue screen error issue
>[!NOTE]
>If you're not a support agent or IT professional, you'll find more helpful information about Stop error ("blue screen") messages in [Troubleshoot blue screen errors](https://support.microsoft.com/help/14238).
## What causes Stop errors?
A Stop error is displayed as a blue screen that contains the name of the faulty driver, such as any of the following example drivers:
- atikmpag.sys
- igdkmd64.sys
- nvlddmkm.sys
There is no simple explanation for the cause of Stop errors (also known as blue screen errors or bug check errors). Many different factors can be involved. However, various studies indicate that Stop errors usually are not caused by Microsoft Windows components. Instead, these errors are generally related to malfunctioning hardware drivers or drivers that are installed by third-party software. This includes video cards, wireless network cards, security programs, and so on.
Our analysis of the root causes of crashes indicates the following:
- 70 percent are caused by third-party driver code
- 10 percent are caused by hardware issues
- 5 percent are caused by Microsoft code
- 15 percent have unknown causes (because the memory is too corrupted to analyze)
## General troubleshooting steps
To troubleshoot Stop error messages, follow these general steps:
1. Review the Stop error code that you find in the event logs. Search online for the specific Stop error codes to see whether there are any known issues, resolutions, or workarounds for the problem.
2. As a best practice, we recommend that you do the following:
a. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system:
- [Windows 10, version 1803](https://support.microsoft.com/help/4099479)
- [Windows 10, version 1709](https://support.microsoft.com/help/4043454)
- [Windows 10, version 1703](https://support.microsoft.com/help/4018124)
- [Windows Server 2016 and Windows 10, version 1607](https://support.microsoft.com/help/4000825)
- [Windows 10, version 1511](https://support.microsoft.com/help/4000824)
- [Windows Server 2012 R2 and Windows 8.1](https://support.microsoft.com/help/4009470)
- [Windows Server 2008 R2 and Windows 7 SP1](https://support.microsoft.com/help/4009469)
b. Make sure that the BIOS and firmware are up-to-date.
c. Run any relevant hardware and memory tests.
3. Run the [Machine Memory Dump Collector](https://home.diagnostics.support.microsoft.com/selfhelp?knowledgebasearticlefilter=2027760&wa=wsignin1.0) Windows diagnostic package. This diagnostic tool is used to collect machine memory dump files and check for known solutions.
4. Run [Microsoft Safety Scanner](http://www.microsoft.com/security/scanner/en-us/default.aspx) or any other virus detection program that includes checks of the Master Boot Record for infections.
5. Make sure that there is sufficient free space on the hard disk. The exact requirement varies, but we recommend 10 to 15 percent free disk space.
6. Contact the respective hardware or software vendor to update the drivers and applications in the following scenarios:
- The error message indicates that a specific driver is causing the problem.
- You are seeing an indication of a service that is starting or stopping before the crash occurred. In this situation, determine whether the service behavior is consistent across all instances of the crash.
- You have made any software or hardware changes.
>[!NOTE]
>If there are no updates available from a specific manufacturer, it is recommended that you disable the related service.
>
>To do this, see [How to perform a clean boot in Windows](https://support.microsoft.com/help/929135)
>
>You can disable a driver by following the steps in [How to temporarily deactivate the kernel mode filter driver in Windows](https://support.microsoft.com/help/816071).
>
>You may also want to consider the option of rolling back changes or reverting to the last-known working state. For more information, see [Roll Back a Device Driver to a Previous Version](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732648(v=ws.11)).
### Memory dump collection
To configure the system for memory dump files, follow these steps:
1. [Download DumpConfigurator tool](https://codeplexarchive.blob.core.windows.net/archive/projects/WinPlatTools/WinPlatTools.zip).
2. Extract the .zip file and navigate to **Source Code** folder.
3. Run the tool DumpConfigurator.hta, and then select **Elevate this HTA**.
3. Select **Auto Config Kernel**.
4. Restart the computer for the setting to take effect.
5. Stop and disable Automatic System Restart Services (ASR) to prevent dump files from being written.
6. If the server is virtualized, disable auto reboot after the memory dump file is created. This lets you take a snapshot of the server in-state and also if the problem recurs.
The memory dump file is saved at the following locations.
| Dump file type | Location |
|----------------|----------|
|(none) | %SystemRoot%\MEMORY.DMP (inactive, or greyed out) |
|Small memory dump file (256kb) | %SystemRoot%\Minidump |
|Kernel memory dump file | %SystemRoot%\MEMORY.DMP |
| Complete memory dump file | %SystemRoot%\MEMORY.DMP |
| Automatic memory dump file | %SystemRoot%\MEMORY.DMP |
| Active memory dump file | %SystemRoot%\MEMORY.DMP |
You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files are not corrupted or invalid. For more information, see the following video:
>[!video https://www.youtube.com/embed?v=xN7tOfgNKag]
### Pagefile Settings
- [Introduction of page file in Long-Term Servicing Channel and Semi-Annual Channel of Windows](https://support.microsoft.com/help/4133658)
- [How to determine the appropriate page file size for 64-bit versions of Windows](https://support.microsoft.com/help/2860880)
- [How to generate a kernel or a complete memory dump file in Windows Server 2008 and Windows Server 2008 R2](https://support.microsoft.com/help/969028)
### Memory dump analysis
Finding the root cause of the crash may not be easy. Hardware problems are especially difficult to diagnose because they may cause erratic and unpredictable behavior that can manifest itself in a variety of symptoms.
When a Stop error occurs, you should first isolate the problematic components, and then try to cause them to trigger the Stop error again. If you can replicate the problem, you can usually determine the cause.
You can use the tools such as Windows Software Development KIT (SDK) and Symbols to diagnose dump logs.
## Advanced troubleshooting using Driver Verifier
We estimate that about 75 percent of all Stop errors are caused by faulty drivers. The Driver Verifier tool provides several methods to help you troubleshoot. These include running drivers in an isolated memory pool (without sharing memory with other components), generating extreme memory pressure, and validating parameters. If the tool encounters errors in the execution of driver code, it proactively creates an exception to let that part of the code be examined further.
>[!WARNING]
>Driver Verifier consumes lots of CPU and can slow down the computer significantly. You may also experience additional crashes. Verifier disables faulty drivers after a Stop error occurs, and continues to do this until you can successfully restart the system and access the desktop. You can also expect to see several dump files created.
>
>Dont try to verify all the drivers at one time. This can degrade performance and make the system unusable. This also limits the effectiveness of the tool.
Use the following guidelines when you use Driver Verifier:
- Test any “suspicious” drivers (drivers that were recently updated or that are known to be problematic).
- If you continue to experience non-analyzable crashes, try enabling verification on all third-party and unsigned drivers.
- Enable concurrent verification on groups of 10 to 20 drivers.
- Additionally, if the computer cannot boot into the desktop because of Driver Verifier, you can disable the tool by starting in Safe mode. This is because the tool cannot run in Safe mode.
For more information, see [Driver Verifier](https://docs.microsoft.com/windows-hardware/drivers/devtest/driver-verifier).
**Video resources**
The following videos illustrate various troubleshooting techniques.
- [Analyze Dump File](https://www.youtube.com/watch?v=s5Vwnmi_TEY)
- [Installing Debugging Tool for Windows (x64 and x86)](https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-Building-your-USB-thumbdrive/player#time=22m29s:paused)
- [Debugging kernel mode crash memory dumps](https://channel9.msdn.com/Shows/Defrag-Tools/DefragTools-137-Debugging-kernel-mode-dumps)
- [Special Pool](https://www.youtube.com/watch?v=vHXYS9KdU1k)
## Common Windows Stop errors
This section doesn't contain a list of all error codes, but since many error codes have the same potential resolutions, your best bet is to follow the steps below to troubleshoot your error.
The following table lists general troubleshooting procedures for common Stop error codes.
Stop error message and code | Mitigation
--- | ---
VIDEO_ENGINE_TIMEOUT_DETECTED or VIDEO_TDR_TIMEOUT_DETECTED<br>Stop error code 0x00000141, or 0x00000117 | Contact the vendor of the listed display driver to get an appropriate update for that driver.
DRIVER_IRQL_NOT_LESS_OR_EQUAL <br>Stop error code 0x0000000D1 | Apply the latest updates for the driver by applying the latest cumulative updates for the system through the Microsoft Update Catalog website.Update an outdated NIC driver. Virtualized VMware systems often run “Intel(R) PRO/1000 MT Network Connection” (e1g6032e.sys). This driver is available at [http://downloadcenter.intel.com](http://downloadcenter.intel.com). Contact the hardware vendor to update the NIC driver for a resolution. For VMware systems, use the VMware integrated NIC driver (types VMXNET or VMXNET2 , VMXNET3 can be used) instead of Intel e1g6032e.sys.
PAGE_FAULT_IN_NONPAGED_AREA <br>Stop error code 0x000000050 | If a driver is identified in the Stop error message, contact the manufacturer for an update.If no updates are available, disable the driver, and monitor the system for stability. Run Chkdsk /f /r to detect and repair disk errors. You must restart the system before the disk scan begins on a system partition. Contact the manufacturer for any diagnostic tools that they may provide for the hard disk subsystem. Try to reinstall any application or service that was recently installed or updated. It's possible that the crash was triggered while the system was starting applications and reading the registry for preference settings. Reinstalling the application can fix corrupted registry keys.If the problem persists, and you have run a recent system state backup, try to restore the registry hives from the backup.
SYSTEM_SERVICE_EXCEPTION <br>Stop error code c000021a {Fatal System Error} The Windows SubSystem system process terminated unexpectedly with a status of 0xc0000005. The system has been shut down. | Use the System File Checker tool to repair missing or corrupted system files. The System File Checker lets users scan for corruptions in Windows system files and restore corrupted files. For more information, see [Use the System File Checker tool](https://support.microsoft.com/en-us/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system-files).
NTFS_FILE_SYSTEM <br>Stop error code 0x000000024 | This Stop error is commonly caused by corruption in the NTFS file system or bad blocks (sectors) on the hard disk. Corrupted drivers for hard disks (SATA or IDE) can also adversely affect the system's ability to read and write to disk. Run any hardware diagnostics that are provided by the manufacturer of the storage subsystem. Use the scan disk tool to verify that there are no file system errors. To do this, right-click the drive that you want to scan, select Properties, select Tools, and then select the Check now button.We also suggest that you update the NTFS file system driver (Ntfs.sys), and apply the latest cumulative updates for the current operating system that is experiencing the problem.
KMODE_EXCEPTION_NOT_HANDLED <br>Stop error code 0x0000001E | If a driver is identified in the Stop error message, disable or remove that driver. Disable or remove any drivers or services that were recently added. <br><br>If the error occurs during the startup sequence, and the system partition is formatted by using the NTFS file system, you might be able to use Safe mode to disable the driver in Device Manager. To do this, follow these steps:<br><br>Go to **Settings > Update &amp; security > Recovery**. Under **Advanced startup**, select **Restart now**. After your PC restarts to the **Choose an option** screen, select **Troubleshoot &gt; Advanced options &gt; Startup Settings &gt; Restart**. After the computer restarts, you'll see a list of options. Press **4** or **F4** to start the computer in Safe mode. Or, if you intend to use the Internet while in Safe mode, press **5** or **F5** for the Safe Mode with Networking option.
DPC_WATCHDOG_VIOLATION <br>Stop error code 0x00000133 | This Stop error code is caused by a faulty driver that does not complete its work within the allotted time frame in certain conditions. To enable us to help mitigate this error, collect the memory dump file from the system, and then use the Windows Debugger to find the faulty driver. If a driver is identified in the Stop error message, disable the driver to isolate the problem. Check with the manufacturer for driver updates. Check the system log in Event Viewer for additional error messages that might help identify the device or driver that is causing Stop error 0x133. Verify that any new hardware that is installed is compatible with the installed version of Windows. For example, you can get information about required hardware at Windows 10 Specifications. If Windows Debugger is installed, and you have access to public symbols, you can load the c:\windows\memory.dmp file into the Debugger, and then refer to [Determining the source of Bug Check 0x133 (DPC_WATCHDOG_VIOLATION) errors on Windows Server 2012](https://blogs.msdn.microsoft.com/ntdebugging/2012/12/07/determining-the-source-of-bug-check-0x133-dpc_watchdog_violation-errors-on-windows-server-2012/) to find the problematic driver from the memory dump.
USER_MODE_HEALTH_MONITOR <br>Stop error code 0x0000009E | This Stop error indicates that a user-mode health check failed in a way that prevents graceful shutdown. Therefore, Windows restores critical services by restarting or enabling application failover to other servers. The Clustering Service incorporates a detection mechanism that may detect unresponsiveness in user-mode components.<br>This Stop error usually occurs in a clustered environment, and the indicated faulty driver is RHS.exe.Check the event logs for any storage failures to identify the failing process.Try to update the component or process that is indicated in the event logs. You should see the following event recorded:<br>Event ID: 4870<br>Source: Microsoft-Windows-FailoverClustering<br>Description: User mode health monitoring has detected that the system is not being responsive. The Failover cluster virtual adapter has lost contact with the Cluster Server process with a process ID %1, for %2 seconds. Recovery action will be taken. Review the Cluster logs to identify the process and investigate which items might cause the process to hang. <br />For more information, see ["Why is my Failover Clustering node blue screening with a Stop 0x0000009E?"](https://blogs.technet.microsoft.com/askcore/2009/06/12/why-is-my-failover-clustering-node-blue-screening-with-a-stop-0x0000009e) Also, see the following Microsoft video [What to do if a 9E occurs](https://www.youtube.com/watch?v=vOJQEdmdSgw).
## References
- [Bug Check Code Reference](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2)

2
windows/client-management/troubleshoot-windows-freeze.md
View File

@ -7,7 +7,7 @@ ms.sitesec: library
ms.topic: troubleshooting
author: kaushika-msft
ms.localizationpriority: medium
ms.author: elizapo
ms.author: kaushika
ms.date: 11/26/2018
---

2
windows/deployment/update/windows-analytics-get-started.md
View File

@ -87,6 +87,8 @@ The compatibility update scans your devices and enables application usage tracki
| Windows 8.1 | [KB 2976978](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)<br>Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed. <br>For more information about this update, see <https://support.microsoft.com/kb/2976978>|
| Windows 7 SP1 | [KB2952664](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664) <br>Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed. <br>For more information about this update, see <https://support.microsoft.com/kb/2952664>|
We also recommend installing the latest [Windows Monthly Rollup](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup) on Windows 7 and Windows 8.1 devices.
>[!IMPORTANT]
>Restart devices after you install the compatibility updates for the first time.

9
windows/security/information-protection/tpm/tpm-recommendations.md
View File

@ -9,7 +9,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/16/2018
ms.date: 11/29/2018
---
# TPM recommendations
@ -64,6 +64,9 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
> [!NOTE]
> TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
## Discrete, Integrated or Firmware TPM?
There are three implementation options for TPMs:
@ -113,6 +116,10 @@ The following table defines which Windows features require TPM support.
| TPM Platform Crypto Provider Key Storage Provider| Yes | Yes| Yes | |
| Virtual Smart Card | Yes | Yes | Yes | |
| Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM. |
| Autopilot | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
| SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
| DRTM | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
## OEM Status on TPM 2.0 system availability and certified parts

4
windows/security/information-protection/tpm/trusted-platform-module-overview.md
View File

@ -9,7 +9,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms-author: v-anbic
ms.date: 08/21/2018
ms.date: 11/29/2018
---
# Trusted Platform Module Technology Overview
@ -69,7 +69,7 @@ Some things that you can check on the device are:
- Is SecureBoot supported and enabled?
> [!NOTE]
> Windows 10 and Windows Server 2016 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1).
> Windows 10 and Windows Server 2016 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
## Supported versions for device health attestation

4
windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 11/27/2018
ms.date: 11/29/2018
---
# Reduce attack surfaces with attack surface reduction rules
@ -31,6 +31,8 @@ Attack surface reduction rules help prevent actions and apps that are typically
When an attack surface reduction rule is triggered, a notification displays from the Action Center on the user's computer. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information.
Attack surface reduction is supported on Windows 10, version 1709 and later and Windows Server 2019.
## Requirements
Attack surface reduction rules are a feature of Windows Defender ATP and require Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).

3
windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 10/02/2018
ms.date: 11/29/2018
---
# Protect important folders with controlled folder access
@ -33,6 +33,7 @@ The protected folders include common system folders, and you can [add additional
You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019.
## Requirements

6
windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 08/09/2018
ms.date: 11/29/2018
---
# Protect devices from exploits
@ -22,10 +22,10 @@ ms.date: 08/09/2018
Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Exploit protection is supported on Windows 10, version 1709 and later and Windows Server 2016, version 1803 or later.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
>You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
Exploit protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).

6
windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 08/09/2018
ms.date: 11/29/2018
---
# Protect your network
@ -24,8 +24,10 @@ Network protection helps reduce the attack surface of your devices from Internet
It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
Network protection is supported on Windows 10, version 1709 and later and Windows Server 2016, version 1803 or later.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
>You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
Network protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).