diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index f3835820c5..9fa201861f 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,6 +1,51 @@ { "redirections": [ { +"source_path": "devices/hololens/hololens-upgrade-enterprise.md", +"redirect_url": "https://docs.microsoft.com/hololens/hololens-requirements#upgrade-to-windows-holographic-for-business", +"redirect_document_id": true +}, +{ +"source_path": "devices/hololens/hololens-install-localized.md", +"redirect_url": "https://docs.microsoft.com/hololens/hololens1-install-localized", +"redirect_document_id": false +}, +{ +"source_path": "devices/hololens/hololens-install-apps.md", +"redirect_url": "https://docs.microsoft.com/hololens/holographic-store-apps", +"redirect_document_id": false +}, +{ +"source_path": "devices/hololens/hololens-setup.md", +"redirect_url": "https://docs.microsoft.com/hololens/hololens1-setup", +"redirect_document_id": true +}, +{ +"source_path": "devices/hololens/hololens-use-apps.md", +"redirect_url": "https://docs.microsoft.com/hololens/holographic-home#using-apps-on-hololens", +"redirect_document_id": true +}, +{ +"source_path": "devices/hololens/hololens-get-apps.md", +"redirect_url": "https://docs.microsoft.com/hololens/holographic-store-apps", +"redirect_document_id": true +}, +{ +"source_path": "devices/hololens/hololens-spaces-on-hololens.md", +"redirect_url": "https://docs.microsoft.com/hololens/hololens-spaces", +"redirect_document_id": true +}, +{ +"source_path": "devices/hololens/hololens-clicker.md", +"redirect_url": "https://docs.microsoft.com/hololens/hololens1-clicker", +"redirect_document_id": true +}, +{ +"source_path": "devices/hololens/hololens-clicker-restart-recover.md", +"redirect_url": "https://docs.microsoft.com/hololens/hololens1-clicker#restart-or-recover-the-clicker", +"redirect_document_id": false +}, +{ "source_path": "devices/surface/manage-surface-pro-3-firmware-updates.md", "redirect_url": "https://docs.microsoft.com/surface/manage-surface-driver-and-firmware-updates", "redirect_document_id": true @@ -5996,6 +6041,11 @@ "redirect_url": "https://docs.microsoft.com/dynamics365/#pivot=mixed-reality-apps", "redirect_document_id": true }, +{ + "source_path": "devices/hololens/hololens-restart-recover.md", + "redirect_url": "/hololens/hololens-recovery", + "redirect_document_id": false +}, { "source_path": "devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md", "redirect_url": "https://docs.microsoft.com/surface-hub/provisioning-packages-for-surface-hub", diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index 3f07da3690..03234dc869 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -47,12 +47,12 @@ # Hologram optics and placement in space ## [Tips for viewing clear Holograms](hololens-calibration.md) -## [Mapping physical spaces with HoloLens](hololens-spaces.md) +## [Environment considerations for HoloLens](hololens-environment-considerations.md) +## [Spatial mapping on HoloLens](hololens-spaces.md) -# Recovery and troubleshooting -## [Restore HoloLens 2 using Advanced Recovery Companion](hololens-recovery.md) -## [Restart, reset, or recover the HoloLens](hololens-restart-recover.md) +# Update and recovery +## [Join the Windows Insider program](hololens-insider.md) +## [Restart, reset, or recover](hololens-recovery.md) # [Give us feedback](hololens-feedback.md) -# [Insider preview for Microsoft HoloLens](hololens-insider.md) # [Change history for Microsoft HoloLens documentation](change-history-hololens.md) diff --git a/devices/hololens/hololens-environment-considerations.md b/devices/hololens/hololens-environment-considerations.md new file mode 100644 index 0000000000..fd573a27c0 --- /dev/null +++ b/devices/hololens/hololens-environment-considerations.md @@ -0,0 +1,121 @@ +--- +title: Environment considerations for HoloLens +description: Get the best possible experience using HoloLens when you optimize the device for your eyes and environment. Many different environmental factors are fused together to enable tracking, but as a Mixed Reality developer, there are several factors you can keep in mind to tune a space for better holograms. +keywords: holographic frame, field of view, fov, calibration, spaces, environment, how-to +author: dorreneb +ms.author: dobrown +manager: jarrettr +ms.date: 8/29/2019 +ms.prod: hololens +ms.topic: article +audience: ITPro +ms.localizationpriority: medium +appliesto: +- HoloLens 1 +- HoloLens 2 +--- + +# Environment considerations for HoloLens + +HoloLens blends the holographic with the "real" world, placing holograms in your surroundings. A holographic app window "hangs" on the wall, a holographic ballerina spins on the tabletop, bunny ears sit on top of your unwitting friend’s head. When you’re using an immersive game or app, the holographic world will spread to fill your surroundings but you’ll still be able to see and move around the space. + +The holograms you place will stay where you’ve put them, even if you turn off your device. + +## Setting up an environment + +HoloLens devices know how to place stable and accurate holograms by *tracking* users in a space. Without proper tracking, the device does not understand the environment or the user within it so holograms can appear in the wrong places, not appear in the same spot every time, or not appear at all. The data used to track users is represented in the *spatial map*. + +Tracking performance is heavily influenced by the environment the user is in, and tuning an environment to induce stable and consistent tracking is an art rather than a science. Many different environmental factors are fused together to enable tracking, but as a Mixed Reality developer, there are several factors you can keep in mind to tune a space for better tracking. + +### Lighting + +Windows Mixed Reality uses visual light to track the user's location. When an environment is too bright, the cameras can get saturated, and nothing is seen. If the environment is too dark, the cameras cannot pick up enough information, and nothing is seen. Lighting should be even and sufficiently bright that a human can see without effort, but not so bright that the light is painful to look at. + +Areas where there are points of bright light in an overall dim area are also problematic, as the camera has to adjust when moving in and out of bright spaces. This can cause the device to "get lost" and think that the change in light equates to a change in location. Stable light levels in an area will lead to better tracking. + +Any outdoor lighting can also cause instability in the tracker, as the sun may vary considerably over time. For example, tracking in the same space in the summer vs. winter can produce drastically different results, as the secondhand light outside may be higher at different times of year. + +If you have a luxmeter, a steady 500-1000 lux is a good place to start. + +#### Types of lighting + +Different types of light in a space can also influence tracking. Light bulbs pulse with the AC electricity running through it - if the AC frequency is 50Hz, then the light pulses at 50Hz. For a human, this pulsing is not noticed. However, HoloLens' 30fps camera sees these changes - some frames will be well-lit, some will be poorly lit, and some will be over-exposed as the camera tries to compensate for light pulses. + +In the USA, electricity frequency standard is 60Hz, so light bulb pulses are harmonized with HoloLens' framerate - 60Hz pulses align with HoloLens' 30 FPS framerate. However, many countries have an AC frequency standard of 50Hz, which means some HoloLens frames will be taken during pulses, and others will not. In particular, fluorescent lighting in Europe has been known to cause issues. + +There are a few things you can try to resolve flickering issues. Temperature, bulb age, and warm-up cycles are common causes of fluorescent flickering and replacing bulbs may help. Tightening bulbs and making sure current draws are constant can also help. + +### Items in a space + +HoloLens uses unique environmental landmarks, also known as *features*, to locate itself in a space. + +A device can almost never track in a feature-poor area, as the device has no way of knowing where in space it is. Adding features to the walls of a space is usually a good way to improve tracking. Posters, symbols taped to a wall, plants, unique objects, or other similar items all help. A messy desk is a good example of an environment that leads to good tracking - there are a lot of different features in a single area. + +Additionally, use unique features in the same space. The same poster repeated multiple times over a wall, for example, will cause device confusion as the HoloLens won't know which of the repetitive posters it is looking at. One common way of adding unique features is to use lines of masking tape to create unique, non-repetitive patterns along the walls and floor of a space. + +A good question to ask yourself is: if you saw just a small amount of the scene, could you uniquely locate yourself in the space? If not, it's likely the device will have problems tracking as well. + +#### Wormholes + +If you have two areas or regions that look the same, the tracker may think they are the same. This results in the device tricking itself into thinking it is somewhere else. We call these types of repetitive areas *wormholes*. + +To prevent wormholes, try to prevent identical areas in the same space. Identical areas can sometimes include factory stations, windows on a building, server racks, or work stations. Labelling areas or adding unique features to each similar-looking areas can help mitigate wormholes. + +### Movement in a space + +If your environment is constantly shifting and changing, the device has no stable features to locate against. + +The more moving objects that are in a space, including people, the easier it is to lose tracking. Moving conveyor belts, items in different states of construction, and lots of people in a space have all been known to cause tracking issues. + +The HoloLens can quickly adapt to these changes, but only when that area is clearly visible to the device. Areas that are not seen as frequently may lag behind reality, which can cause errors in the spatial map. For example, a user scans a friend and then turns around while the friend leaves the room. A 'ghost' representation of the friend will persist in the spatial mapping data until the user re-scans the now empty space. + +### Proximity of the user to items in the space + +Similarly to how humans cannot focus well on objects close to the eyes, HoloLens struggles when objects are close to it's cameras. If an object is too close to be seen with both cameras, or if an object is blocking one camera, the device will have far more issues with tracking against the object. + +The cameras can see no closer than 15cm from an object. + +### Surfaces in a space + +Strongly reflective surfaces will likely look different depending on the angle, which affects tracking. Think of a brand new car—when you move around it, light reflects and you see different objects in the surface as you move. To the tracker, the different objects reflected in the surface represent a changing environment, and the device loses tracking. + +Less shiny objects are easier to track against. + +### Wi-Fi fingerprint considerations + +As long as Wi-Fi is enabled, map data will be correlated with a Wi-Fi fingerprint, even when not connected to an actual WiFi network/router. Without Wi-Fi info, the space and holograms may be slightly slower to recognize. If the Wi-Fi signals change significantly, the device may think it is in a different space altogether. + +Network identification (such as SSID or MAC address) is not sent to Microsoft, and all Wi-Fi references are kept local on the HoloLens. + +## Mapping new spaces + +When you enter a new space (or load an existing one), you’ll see a mesh graphic spreading over the space. This means your device is mapping your surroundings. While a HoloLens will learn a space over time, there are tips and tricks to map spaces. + +## Environment management + +There are two settings which enable users to “clean up” holograms and cause HoloLens to “forget" a space. They exist in **Holograms and environments** in the settings app, with the second setting also appearing under **Privacy** in the settings app. + +1. **Delete nearby holograms**. When you select this setting, HoloLens will erase all anchored holograms and all stored map data for the “current space” where the device is located. A new map section would be created and stored in the database for that location once holograms are again placed in that same space. + +1. **Delete all holograms**.By selecting this setting, HoloLens will erase ALL map data and anchored holograms in the entire databases of spaces. No holograms will be rediscovered and any holograms need to be newly placed to again store map sections in the database. + +## Hologram quality + +Holograms can be placed throughout your environment—high, low, and all around you—but you’ll see them through a [holographic frame](https://docs.microsoft.com/windows/mixed-reality/holographic-frame) that sits in front of your eyes. To get the best view, make sure to adjust your device so you can see the entire frame. And don’t hesitate to walk around your environment and explore! + +For your [holograms](https://docs.microsoft.com/windows/mixed-reality/hologram) to look crisp, clear, and stable, your HoloLens needs to be calibrated just for you. When you first set up your HoloLens, you’ll be guided through this process. Later on, if holograms don’t look right or you’re seeing a lot of errors, you can make adjustments. + +If you are having trouble mapping spaces, try deleting nearby holograms and remapping the space. + +### Calibration + +If your holograms look jittery or shaky, or if you’re having trouble placing holograms, the first thing to try is the [Calibration app](hololens-calibration.md). This app can also help if you’re experiencing any discomfort while using your HoloLens. + +To get to the Calibration app, go to **Settings** > **System** > **Utilities**. Select **Open Calibration** and follow the instructions. + +If someone else is going to be using your HoloLens, they should run the Calibration app first so the device is set up properly for them. + +## See also + +- [Spatial mapping design](https://docs.microsoft.com/windows/mixed-reality/spatial-mapping-design) +- [Holograms](https://docs.microsoft.com/windows/mixed-reality/hologram) diff --git a/devices/hololens/hololens-offline.md b/devices/hololens/hololens-offline.md index 908a2bbb45..daf928dd5e 100644 --- a/devices/hololens/hololens-offline.md +++ b/devices/hololens/hololens-offline.md @@ -1,16 +1,16 @@ --- title: Use HoloLens offline description: To set up HoloLens, you'll need to connect to a Wi-Fi network -ms.assetid: b86f603c-d25f-409b-b055-4bbc6edcd301 -ms.reviewer: jarrettrenshaw +keywords: hololens, offline, OOBE +audience: ITPro ms.date: 07/01/2019 -manager: v-miegge -keywords: hololens -ms.prod: hololens -ms.sitesec: library +ms.assetid: b86f603c-d25f-409b-b055-4bbc6edcd301 author: v-miegge ms.author: v-miegge +manager: v-miegge ms.topic: article +ms.prod: hololens +ms.sitesec: library ms.localizationpriority: medium appliesto: - HoloLens (1st gen) @@ -35,6 +35,10 @@ HoloLens need a network connection to go through initial device set up. If your | MSA | https://login.live.com/ppsecure/inlineconnect.srf?id=80600 | | MSA Pin | https://account.live.com/msangc?fl=enroll | +Additional references: + +- [Technical reference for AAD related IP ranges and URLs](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges) + ## HoloLens limitations After your HoloLens is set up, you can use it without a Wi-Fi connection, but apps that use Internet connections will have limited capabilities when you use HoloLens offline. diff --git a/devices/hololens/hololens-recovery.md b/devices/hololens/hololens-recovery.md index b0f40d77cc..67541da523 100644 --- a/devices/hololens/hololens-recovery.md +++ b/devices/hololens/hololens-recovery.md @@ -1,55 +1,103 @@ --- -title: Restore HoloLens 2 using Advanced Recovery Companion -ms.reviewer: -manager: dansimp +title: Reset or recover your HoloLens +ms.reviewer: Both basic and advanced instructions for rebooting or resetting your HoloLens. description: How to use Advanced Recovery Companion to flash an image to HoloLens 2. +keywords: how-to, reboot, reset, recover, hard reset, soft reset, power cycle, HoloLens, shut down, arc, advanced recovery companion ms.prod: hololens ms.sitesec: library -author: dansimp -ms.author: dansimp +author: mattzmsft +ms.author: mazeller +ms.date: 08/30/2019 ms.topic: article -ms.localizationpriority: medium +ms.localizationpriority: +manager: jarrettr +appliesto: +- HoloLens (1st gen) +- HoloLens 2 --- -# Restore HoloLens 2 using Advanced Recovery Companion +# Restart, reset, or recover HoloLens ->[!TIP] ->If you're having issues with HoloLens (the first device released), see [Restart, reset, or recover HoloLens](https://support.microsoft.com/help/13452/hololens-restart-reset-or-recover-hololens). Advanced Recovery Companion is only supported for HoloLens 2. +If you’re experiencing problems with your HoloLens you may want to try a restart, reset, or even re-flash with device recovery. ->[!WARNING] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +Here are some things to try if your HoloLens isn’t running well. This article will guide you through the recommended recovery steps in succession. -The Advanced Recovery Companion is a new app in Microsoft Store that you can use to restore the operating system image to your HoloLens device. +This article focuses on the HoloLens device and software, if your holograms don't look right, [this article](hololens-environment-considerations.md) talks about environmental factors that improve hologram quality. -When your HoloLens 2 is unresponsive, not running properly, or is experiencing software or update problems, try these things in order: +## Restart your HoloLens -1. [Restart](#restart-hololens-2) the HoloLens 2. -2. [Reset](#reset-hololens-2) the HoloLens 2. -3. [Recover](#recover-hololens-2) the HoloLens 2. +First, try restarting the device. ->[!IMPORTANT] ->Resetting or recovering your HoloLens will erase all of your personal data, including apps, games, photos, and settings. You won’t be able to restore a backup once the reset is complete. +### Perform a safe restart by using Cortana -## Restart HoloLens 2 +The safest way to restart the HoloLens is by using Cortana. This is generally a great first-step when experiencing an issue with HoloLens: -A device restart can often "fix" a computer issue. First, say "Hey Cortana, restart the device." +1. Put on your device +1. Make sure it’s powered on, a user is logged in, and the device is not waiting for a password to unlock it. +1. Say “Hey Cortana, reboot” or "Hey Cortana, restart." +1. When she acknowledges she will ask you for confirmation. Wait a second for a sound to play after she has finished her question, indicating she is listening to you and then say “Yes.” +1. The device will now restart. -If you’re still having problems, press the power button for 4 seconds, until all of the battery indicators fade out. Wait 1 minute, then press the power button again to turn on the device. +### Perform a safe restart by using the power button -If neither of those things works, force restart the device. Hold down the power button for 10 seconds. Release it and wait 30 seconds, then press the power button again to turn on the device. +If you still can't restart your device, you can try to restart it by using the power button: -## Reset HoloLens 2 +1. Press and hold the power button for five seconds. + 1. After one second, you will see all five LEDs illuminate, then slowly turn off from right to left. + 1. After five seconds, all LEDs will be off, indicating the shutdown command was issued successfully. + 1. Note that it’s important to stop pressing the button immediately after all the LEDs have turned off. +1. Wait one minute for the shutdown to cleanly succeed. Note that the shutdown may still be in progress even if the displays are turned off. +1. Power on the device again by pressing and holding the power button for one second. -If the device is still having a problem after restart, use reset to return the HoloLens 2 to factory settings. +### Perform a safe restart by using Windows Device Portal -To reset your HoloLens 2, go to **Settings > Update > Reset** and select **Reset device**. +> [!NOTE] +> To do this, HoloLens has to be configured as a developer device. +> Read more about [Windows Device Portal](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal). + +If the previous procedure doesn't work, you can try to restart the device by using [Windows Device Portal](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal). In the upper right corner, there is an option to restart or shut down the device. + +### Perform an unsafe forced restart + +If none of the previous methods are able to successfully restart your device, you can force a restart. This method is equivalent to pulling the battery from the HoloLens. It is a dangerous operation which may leave your device in a corrupt state. If that happens, you'll have to flash your HoloLens. + +> [!WARNING] +> This is a potentially harmful method and should only be used in the event none of the above methods work. + +1. Press and hold the power button for at least 10 seconds. + + - It’s okay to hold the button for longer than 10 seconds. + - It’s safe to ignore any LED activity. +1. Release the button and wait for two or three seconds. +1. Power on the device again by pressing and holding the power button for one second. +If you’re still having problems, press the power button for 4 seconds, until all of the battery indicators fade out and the screen stops displaying holograms. Wait 1 minute, then press the power button again to turn on the device. + +## Reset to factory settings >[!NOTE] >The battery needs at least 40 percent charge to reset. -## Recover HoloLens 2 +If your HoloLens is still experiencing issues after restarting, try resetting it to factory state. Resetting your HoloLens keeps the version of the Windows Holographic software that’s installed on it and returns everything else to factory settings. -If the device is still having a problem after reset, you can use Advanced Recovery Companion to flash the device with a new image. +If you reset your device, all your personal data, apps, and settings will be erased. Resetting will only install the latest installed version of Windows Holographic and you will have to redo all the initialization steps (calibrate, connect to Wi-Fi, create a user account, download apps, and so forth). + +1. Launch the Settings app, and then select **Update** > **Reset**. +1. Select the **Reset device** option and read the confirmation message. +1. If you agree to reset your device, the device will restart and display a set of spinning gears with a progress bar. +1. Wait about 30 minutes for this process to complete. +1. The reset will complete and the device will restart into the out-of-the-box experience. + +## Re-install the operating system + +If the device is still having a problem after rebooting and resetting, you can use a recovery tool on your computer to reinstall the HoloLens' operating system and firmware. + +HoloLens (1st gen) and HoloLens 2 use different tools but both tools will auto-detect your HoloLens and install new software. + +All of the data HoloLens needs to reset is packaged in a Full Flash Update (ffu). This is similar to an iso, wim, or vhd. [Learn about FFU image file formats.](https://docs.microsoft.com/windows-hardware/manufacture/desktop/wim-vs-ffu-image-file-formats) + +### HoloLens 2 + +The Advanced Recovery Companion is a new app in Microsoft Store restore the operating system image to your HoloLens 2 device. 1. On your computer, get [Advanced Recovery Companion](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?activetab=pivot:overviewtab) from Microsoft Store. 2. Connect HoloLens 2 to your computer. @@ -58,5 +106,18 @@ If the device is still having a problem after reset, you can use Advanced Recove 5. On the **Device info** page, select **Install software** to install the default package. (If you have a Full Flash Update (FFU) image that you want to install instead, select **Manual package selection**.) 6. Software installation will begin. Do not use the device or disconnect the cable during installation. When you see the **Installation finished** page, you can disconnect and use your device. ->[!NOTE] ->[Learn about FFU image file formats.](https://docs.microsoft.com/windows-hardware/manufacture/desktop/wim-vs-ffu-image-file-formats) +### HoloLens (1st gen) + +If necessary, you can install a completely new operating system on your HoloLens (1st gen) with the Windows Device Recovery Tool. + +Before you use this tool, determine if restarting or resetting your HoloLens fixes the problem. The recovery process may take some time. When you're done, the latest version of the Windows Holographic software approved for your HoloLens will be installed. + +To use the tool, you’ll need a computer running Windows 10 or later, with at least 4 GB of free storage space. Please note that you can’t run this tool on a virtual machine. + +To recover your HoloLens + +1. Download and install the [Windows Device Recovery Tool](https://dev.azure.com/ContentIdea/ContentIdea/_queries/query/8a004dbe-73f8-4a32-94bc-368fc2f2a895/) on your computer. +1. Connect the HoloLens (1st gen) to your computer using the Micro USB cable that came with your HoloLens. +1. Run the Windows Device Recovery Tool and follow the instructions. + +If the HoloLens (1st gen) isn’t automatically detected, select **My device was not detected** and follow the instructions to put your device into recovery mode. diff --git a/devices/hololens/hololens-restart-recover.md b/devices/hololens/hololens-restart-recover.md deleted file mode 100644 index 9bf0cddb37..0000000000 --- a/devices/hololens/hololens-restart-recover.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: Restart, reset, or recover HoloLens -description: Restart, reset, or recover HoloLens -ms.assetid: 9a546416-1648-403c-9e0c-742171b8812e -ms.reviewer: jarrettrenshaw -ms.date: 07/01/2019 -manager: v-miegge -keywords: hololens -ms.prod: hololens -ms.sitesec: library -author: v-miegge -ms.author: v-miegge -ms.topic: article -ms.localizationpriority: medium ---- - -# Restart, reset, or recover HoloLens - -Here are some things to try if your HoloLens is unresponsive, isn’t running well, or is experiencing software or update problems. - -## Restart your HoloLens - -If your HoloLens isn’t running well or is unresponsive, try the following things. - -First, try restarting the device: say, "Hey Cortana, restart the device." - -If you’re still having problems, press the power button for 4 seconds, until all of the battery indicators fade out. Wait 1 minute, then press the power button again to turn on the device. - -If neither of those things works, force restart the device. Hold down the power button for 10 seconds. Release it and wait 30 seconds, then press the power button again to turn on the device. - -## Reset or recover your HoloLens - -If restarting your HoloLens doesn’t help, another option is to reset it. If resetting it doesn’t fix the problem, the Windows Device Recovery Tool can help you recover your device. - ->[!IMPORTANT] ->Resetting or recovering your HoloLens will erase all of your personal data, including apps, games, photos, and settings. You won’t be able to restore a backup once the reset is complete. - -## Reset - -Resetting your HoloLens keeps the version of the Windows Holographic software that’s installed on it and returns everything else to factory settings. - -To reset your HoloLens, go to **Settings** > **Update** > **Reset** and select **Reset device**. The battery will need to have at least a 40 percent charge remaining to reset. - -## Recover using the Windows Device Recovery Tool - -Before you use this tool, determine if restarting or resetting your HoloLens fixes the problem. The recovery process may take some time, and the latest version of the Windows Holographic software approved for your HoloLens will be installed. - -To use the tool, you’ll need a computer running Windows 10 or later, with at least 4 GB of free storage space. Please note that you can’t run this tool on a virtual machine. -To recover your HoloLens - -1. Download and install the [Windows Device Recovery Tool](https://dev.azure.com/ContentIdea/ContentIdea/_queries/query/8a004dbe-73f8-4a32-94bc-368fc2f2a895/) on your computer. -1. Connect the clicker to your computer using the Micro USB cable that came with your HoloLens. -1. Run the Windows Device Recovery Tool and follow the instructions. - -If the clicker isn’t automatically detected, select **My device was not detected** and follow the instructions to put your device into recovery mode. diff --git a/devices/hololens/hololens2-setup.md b/devices/hololens/hololens2-setup.md index d007628794..7b662a76b4 100644 --- a/devices/hololens/hololens2-setup.md +++ b/devices/hololens/hololens2-setup.md @@ -62,9 +62,20 @@ To turn on your HoloLens 2, press the Power button. The LED lights below the Po | To turn off | Press and for hold 5s. | All five lights turn on, then fade off one at a time. After the lights turn off, a sound plays and the screen displays "Goodbye." | | To force the Hololens to restart if it is unresponsive | Press and hold for 10s. | All five lights turn on, then fade off one at a time. After the lights turn off. | -## HoloLens indicator lights +## HoloLens behavior reference -Not sure what the indicator lights on your HoloLens mean? Here's some help! +Not sure what the indicator lights on your HoloLens mean? Want to know how HoloLens should behave while charging? Here's some help! + +### Charging behavior + +| State of the Device | Action | HoloLens 2 will do this | +| - | - | - | +| OFF | Plug in USB Cable | Device transitions to ON with indicator lights showing battery level and device starts charging. +| ON | Remove USB Cable | Device stops charging +| ON | Plug in USB Cable | Device starts charging +| SLEEP | Plug in USB Cable | Device starts charging +| SLEEP | Remove USB Cable | Device stops charging +| ON with USB cable pluged in | Turn off Device | Device transitions to ON with indicator lights showing battery level and device will start charging | ### Lights that indicate the battery level @@ -76,6 +87,14 @@ Not sure what the indicator lights on your HoloLens mean? Here's some help! | One solid light, one light fading in and out | Between 40% and 21% | | One light fading in and out | Between 20% and 5% or lower (critical battery) | +### Sleep Behavior + +| State of the Device | Action | HoloLens 2 will do this | +| - | - | - | +| ON | Single Power button press | Device transitions to SLEEP and turns off all indicator lights | +| ON | No movement for 3 minutes | Device transition to SLEEP and turns off all indicator lights | +| SLEEP | Single Power button Press | Device transitions to ON and turns on indicator lights | + ### Lights to indicate problems | When you do this | The lights do this | It means this | diff --git a/devices/surface/surface-manage-dfci-guide.md b/devices/surface/surface-manage-dfci-guide.md index 958c307be4..74e641b050 100644 --- a/devices/surface/surface-manage-dfci-guide.md +++ b/devices/surface/surface-manage-dfci-guide.md @@ -43,13 +43,13 @@ At this time, DFCI is supported in the following devices: ## Prerequisites -- Devices must be registered with Windows Autopilot by your reseller or distributor. For more information, refer to the [Microsoft Partner Network](https://partner.microsoft.com/en-US/membership/cloud-solution-provider). +- Devices must be registered with Windows Autopilot by your reseller or distributor. For more information, refer to the [Microsoft Partner Network](https://partner.microsoft.com/membership/cloud-solution-provider). - Before configuring DFCI for Surface, you should be familiar with Autopilot configuration requirements in [Microsoft Intune](https://docs.microsoft.com/intune/) and [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/) (Azure AD). ## Before you begin -Add your target Surface devices to an Azure AD security group. For more information about creating and managing security groups, refer to [Intune documentation](https://docs.microsoft.com/en-us/intune/configuration/device-firmware-configuration-interface-windows#create-your-azure-ad-security-groups). +Add your target Surface devices to an Azure AD security group. For more information about creating and managing security groups, refer to [Intune documentation](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows#create-your-azure-ad-security-groups). ## Configure DFCI management for Surface devices diff --git a/windows/deployment/update/PSFxWhitepaper.md b/windows/deployment/update/PSFxWhitepaper.md index dc4e379e29..c46b4cc2da 100644 --- a/windows/deployment/update/PSFxWhitepaper.md +++ b/windows/deployment/update/PSFxWhitepaper.md @@ -1,206 +1,114 @@ ---- -title: Windows Updates using forward and reverse differentials -description: A technique to produce compact software updates optimized for any origin and destination revision pair -keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 10/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Windows Updates using forward and reverse differentials - - -Windows 10 monthly quality updates are cumulative, containing all previously -released fixes to ensure consistency and simplicity. For an operating system -platform like Windows 10, which stays in support for multiple years, the size of -monthly quality updates can quickly grow large, thus directly impacting network -bandwidth consumption. - -Today, this problem is addressed by using express downloads, where differential -downloads for every changed file in the update are generated based on selected -historical revisions plus the base version. In this paper, we introduce a new -technique to build compact software update packages that are applicable to any -revision of the base version, and then describe how Windows 10 quality updates -uses this technique. - -## General Terms - -The following general terms apply throughout this document: - -- *Base version*: A major software release with significant changes, such as - Windows 10, version 1809 (Windows 10 Build 17763.1) - -- *Revision*: Minor releases in between the major version releases, such as - KB4464330 (Windows 10 Build 17763.55) - -- *Baseless Patch Storage Files (Baseless PSF)*: Patch storage files that - contain full binaries or files - -## Introduction - -In this paper, we introduce a new technique that can produce compact software -updates optimized for any origin/destination revision pair. It does this by -calculating forward the differential of a changed file from the base version and -its reverse differential back to the base version. Both forward and reverse -differentials are then packaged as an update and distributed to the endpoints -running the software to be updated. The update package contents can be symbolized as follows: - -![Symbolic representation of update package contents. a box containing two expressions: delta sub zero transform to sub N, followed delta sub N transform to sub zero](images/PSF1.png) - -The endpoints that have the base version of the file (V0) hydrate the target -revision (VN) by applying a simple transformation: - -![Equation: V sub zero + delta sub zero transform to sub N = V sub n](images/PSF2.png) - -The endpoints that have revision N of the file (VN), hydrate the target revision -(VR) by applying the following set of transformations: - -![Equation 1: V sub n + delta sub n transform to 0 = V sun 0; Equation 2: V sub zero + delta sub 0 transform to R = V sub R](images/PSF3.png) - -The endpoints retain the reverse differentials for the software revision they -are on, so that it can be used for hydrating and applying next revision update. - -By using a common baseline, this technique produces a single update package with -numerous advantages: - -- Compact in size - -- Applicable to all baselines - -- Simple to build - -- Efficient to install - -- Redistributable - -Historically, download sizes of Windows 10 quality updates (Windows 10, version -1803 and older supported versions of Windows 10) are optimized by using express -download. Express download is optimized such that updating Windows 10 systems -will download the minimum number of bytes. This is achieved by generating -differentials for every updated file based on selected historical base revisions -of the same file + its base or RTM version. - -For example, if the October monthly quality update has updated Notepad.exe, -differentials for Notepad.exe file changes from September to October, August to -October, July to October, June to October, and from the original feature release -to October are generated. All these differentials are stored in a Patch Storage -File (PSF, also referred to as “express download files”) and hosted or cached on -Windows Update or other update management or distribution servers (for example, -Windows Server Update Services (WSUS), System Center Configuration Manager, or a -non-Microsoft update management or distribution server that supports express -updates). A device leveraging express updates uses network protocol to determine -optimal differentials, then downloads only what is needed from the update -distribution endpoints. - -The flipside of express download is that the size of PSF files can be very large -depending on the number of historical baselines against which differentials were -calculated. Downloading and caching large PSF files to on-premises or remote -update distribution servers is problematic for most organizations, hence they -are unable to leverage express updates to keep their fleet of devices running -Windows 10 up to date. Secondly, due to the complexity of generating -differentials and size of the express files that need to be cached on update -distribution servers, it is only feasible to generate express download files for -the most common baselines, thus express updates are only applicable to selected -baselines. Finally, calculation of optimal differentials is expensive in terms -of system memory utilization, especially for low-cost systems, impacting their -ability to download and apply an update seamlessly. - -In the following sections, we describe how Windows 10 quality updates will -leverage this technique based on forward and reverse differentials for newer -releases of Windows 10 and Windows Server to overcome the challenges with -express downloads. - -## High-level Design - -### Update packaging - -Windows 10 quality update packages will contain forward differentials from -quality update RTM baselines (∆RTM→N) and reverse differentials back to RTM -(∆N→RTM) for each file that has changed since RTM. By using the RTM version as -the baseline, we ensure that all devices will have an identical payload. Update -package metadata, content manifests, and forward and reverse differentials will -be packaged into a cabinet file (.cab). This .cab file, and the applicability -logic, will also be wrapped in Microsoft Standalone Update (.msu) format. - -There can be cases where new files are added to the system during servicing. -These files will not have RTM baselines, thus forward and reverse differentials -cannot be used. In these scenarios, null differentials will be used to handle -servicing. Null differentials are the slightly compressed and optimized version -of the full binaries. Update packages can have either -forward or reverse differentials, or null differential of any given binary in -them. The following image symbolizes the content of a Windows 10 quality update installer: - -![Outer box labeled .msu containing two sub-boxes: 1) Applicability Logic, 2) box labeled .cab containg four sub-boxes: 1) update metadata, 2) content manifests, 3) delta sub RTM transform to sub N (file 1, file2, etc.), and 4) delta sub N transform to RTM (file 1, file 2, etc.)](images/PSF4.png) - -### Hydration and installation - -Once the usual applicability checks are performed on the update package and are -determined to be applicable, the Windows component servicing infrastructure will -hydrate the full files during pre-installation and then proceed with the usual -installation process. - -Below is a high-level sequence of activities that the component servicing -infrastructure will run in a transaction to complete installation of the update: - -- Identify all files that are required to install the update. - -- Hydrate each of necessary files using current version (VN) of the file, - reverse differential (VN--->RTM) of the file back to quality update RTM/base - version and forward differential (VRTM--->R) from feature update RTM/base - version to the target version. Also, use null differential hydration to - hydrate null compressed files. - -- Stage the hydrated files (full file), forward differentials (under ‘f’ - folder) and reverse differentials (under ‘r’ folder) or null compressed - files (under ‘n’ folder) in the component store (%windir%\\WinSxS folder). - -- Resolve any dependencies and install components. - -- Clean up older state (VN-1); the previous state VN is retained for - uninstallation and restoration or repair. - -### **Resilient Hydration** - -To ensure resiliency against component store corruption or missing files that -could occur due to susceptibility of certain types of hardware to file system -corruption, a corruption repair service has been traditionally used to recover -the component store automatically (“automatic corruption repair”) or on demand -(“manual corruption repair”) using an online or local repair source. This -service will continue to offer the ability to repair and recover content for -hydration and successfully install an update, if needed. - -When corruption is detected during update operations, automatic corruption -repair will start as usual and use the Baseless Patch Storage File published to -Windows Update for each update to fix corrupted manifests, binary differentials, -or hydrated or full files. Baseless patch storage files will contain reverse and -forward differentials and full files for each updated component. Integrity of -the repair files will be hash verified. - -Corruption repair will use the component manifest to detect missing files and -get hashes for corruption detection. During update installation, new registry -flags for each differential staged on the machine will be set. When automatic -corruption repair runs, it will scan hydrated files using the manifest and -differential files using the flags. If the differential cannot be found or -verified, it will be added to the list of corruptions to repair. - -### Lazy automatic corruption repair - -“Lazy automatic corruption repair” runs during update operations to detect -corrupted binaries and differentials. While applying an update, if hydration of -any file fails, "lazy" automatic corruption repair automatically starts, -identifies the corrupted binary or differential file, and then adds it to the -corruption list. Later, the update operation continues as far as it can go, so -that "lazy" automatic corruption repair can collect as many corrupted files to fix -as possible. At the end of the hydration section, the update fails, and -automatic corruption repair starts. Automatic corruption repair runs as usual -and at the end of its operation, adds the corruption list generated by "lazy" -automatic corruption repair on top of the new list to repair. Automatic -corruption repair then repairs the files on the corruption list and installation -of the update will succeed on the next attempt. +--- +title: Windows Updates using forward and reverse differentials +description: A technique to produce compact software updates optimized for any origin and destination revision pair +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Windows Updates using forward and reverse differentials + +Windows 10 monthly quality updates are cumulative, containing all previously +released fixes to ensure consistency and simplicity. For an operating system +platform like Windows 10, which stays in support for multiple years, the size of +monthly quality updates can quickly grow large, thus directly impacting network +bandwidth consumption. + +Today, this problem is addressed by using express downloads, where differential +downloads for every changed file in the update are generated based on selected +historical revisions plus the base version. In this paper, we introduce a new +technique to build compact software update packages that are applicable to any +revision of the base version, and then describe how Windows 10 quality updates +uses this technique. + +## General Terms + +The following general terms apply throughout this document: + +- *Base version*: A major software release with significant changes, such as Windows 10, version 1809 (Windows 10 Build 17763.1) +- *Revision*: Minor releases in between the major version releases, such as KB4464330 (Windows 10 Build 17763.55) +- *Baseless Patch Storage Files (Baseless PSF)*: Patch storage files that contain full binaries or files + +## Introduction + +In this paper, we introduce a new technique that can produce compact software +updates optimized for any origin/destination revision pair. It does this by +calculating forward the differential of a changed file from the base version and +its reverse differential back to the base version. Both forward and reverse +differentials are then packaged as an update and distributed to the endpoints +running the software to be updated. The update package contents can be symbolized as follows: + +![Symbolic representation of update package contents. A box containing two expressions: delta sub zero transform to sub N, followed delta sub N transform to sub zero](images/PSF1.png) + +The endpoints that have the base version of the file (V0) hydrate the target +revision (VN) by applying a simple transformation: + +![Equation: V sub zero + delta sub zero transform to sub N = V sub n](images/PSF2.png) + +The endpoints that have revision N of the file (VN), hydrate the target revision +(VR) by applying the following set of transformations: + +![Equation 1: V sub n + delta sub n transform to 0 = V sun 0; Equation 2: V sub zero + delta sub 0 transform to R = V sub R](images/PSF3.png) + +The endpoints retain the reverse differentials for the software revision they +are on, so that it can be used for hydrating and applying next revision update. + +By using a common baseline, this technique produces a single update package with +numerous advantages: + +- Compact in size +- Applicable to all baselines +- Simple to build +- Efficient to install +- Redistributable + +Historically, download sizes of Windows 10 quality updates (Windows 10, version 1803 and older supported versions of Windows 10) are optimized by using express download. Express download is optimized such that updating Windows 10 systems will download the minimum number of bytes. This is achieved by generating differentials for every updated file based on selected historical base revisions of the same file + its base or RTM version. + +For example, if the October monthly quality update has updated Notepad.exe, differentials for Notepad.exe file changes from September to October, August to October, July to October, June to October, and from the original feature release to October are generated. All these differentials are stored in a Patch Storage File (PSF, also referred to as “express download files”) and hosted or cached on Windows Update or other update management or distribution servers (for example, Windows Server Update Services (WSUS), System Center Configuration Manager, or a non-Microsoft update management or distribution server that supports express updates). A device leveraging express updates uses network protocol to determine optimal differentials, then downloads only what is needed from the update distribution endpoints. + +The flip side of express download is that the size of PSF files can be very large depending on the number of historical baselines against which differentials were calculated. Downloading and caching large PSF files to on-premises or remote update distribution servers is problematic for most organizations, hence they are unable to leverage express updates to keep their fleet of devices running Windows 10 up to date. Secondly, due to the complexity of generating differentials and size of the express files that need to be cached on update distribution servers, it is only feasible to generate express download files for the most common baselines, thus express updates are only applicable to selected baselines. Finally, calculation of optimal differentials is expensive in terms of system memory utilization, especially for low-cost systems, impacting their ability to download and apply an update seamlessly. + +In the following sections, we describe how Windows 10 quality updates will leverage this technique based on forward and reverse differentials for newer releases of Windows 10 and Windows Server to overcome the challenges with express downloads. + +## High-level Design + +### Update packaging + +Windows 10 quality update packages will contain forward differentials from quality update RTM baselines (∆RTM→N) and reverse differentials back to RTM (∆N→RTM) for each file that has changed since RTM. By using the RTM version as the baseline, we ensure that all devices will have an identical payload. Update package metadata, content manifests, and forward and reverse differentials will be packaged into a cabinet file (.cab). This .cab file, and the applicability logic, will also be wrapped in Microsoft Standalone Update (.msu) format. + +There can be cases where new files are added to the system during servicing. These files will not have RTM baselines, thus forward and reverse differentials cannot be used. In these scenarios, null differentials will be used to handle servicing. Null differentials are the slightly compressed and optimized version of the full binaries. Update packages can have either forward or reverse differentials, or null differential of any given binary in them. The following image symbolizes the content of a Windows 10 quality update installer: + +![Outer box labeled .msu containing two sub-boxes: 1) Applicability Logic, 2) box labeled .cab containing four sub-boxes: 1) update metadata, 2) content manifests, 3) delta sub RTM transform to sub N (file 1, file2, etc.), and 4) delta sub N transform to RTM (file 1, file 2, etc.)](images/PSF4.png) + +### Hydration and installation + +Once the usual applicability checks are performed on the update package and are determined to be applicable, the Windows component servicing infrastructure will hydrate the full files during pre-installation and then proceed with the usual installation process. + +Below is a high-level sequence of activities that the component servicing infrastructure will run in a transaction to complete installation of the update: + +- Identify all files that are required to install the update. +- Hydrate each of necessary files using current version (VN) of the file, reverse differential (VN--->RTM) of the file back to quality update RTM/base version and forward differential (VRTM--->R) from feature update RTM/base version to the target version. Also, use null differential hydration to hydrate null compressed files. +- Stage the hydrated files (full file), forward differentials (under ‘f’ folder) and reverse differentials (under ‘r’ folder) or null compressed files (under ‘n’ folder) in the component store (%windir%\\WinSxS folder). +- Resolve any dependencies and install components. +- Clean up older state (VN-1); the previous state VN is retained for uninstallation and restoration or repair. + +### **Resilient Hydration** + +To ensure resiliency against component store corruption or missing files that could occur due to susceptibility of certain types of hardware to file system corruption, a corruption repair service has been traditionally used to recover the component store automatically (“automatic corruption repair”) or on demand (“manual corruption repair”) using an online or local repair source. This service will continue to offer the ability to repair and recover content for +hydration and successfully install an update, if needed. + +When corruption is detected during update operations, automatic corruption repair will start as usual and use the Baseless Patch Storage File published to Windows Update for each update to fix corrupted manifests, binary differentials, or hydrated or full files. Baseless patch storage files will contain reverse and forward differentials and full files for each updated component. Integrity of the repair files will be hash verified. + +Corruption repair will use the component manifest to detect missing files and get hashes for corruption detection. During update installation, new registry flags for each differential staged on the machine will be set. When automatic corruption repair runs, it will scan hydrated files using the manifest and differential files using the flags. If the differential cannot be found or verified, it will be added to the list of corruptions to repair. + +### Lazy automatic corruption repair + +“Lazy automatic corruption repair” runs during update operations to detect corrupted binaries and differentials. While applying an update, if hydration of any file fails, "lazy" automatic corruption repair automatically starts, identifies the corrupted binary or differential file, and then adds it to the corruption list. Later, the update operation continues as far as it can go, so that "lazy" automatic corruption repair can collect as many corrupted files to fix as possible. At the end of the hydration section, the update fails, and automatic corruption repair starts. Automatic corruption repair runs as usual and at the end of its operation, adds the corruption list generated by "lazy" automatic corruption repair on top of the new list to repair. Automatic corruption repair then repairs the files on the corruption list and installation of the update will succeed on the next attempt. diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md index 20ecac8ae7..9022265138 100644 --- a/windows/deployment/update/WIP4Biz-intro.md +++ b/windows/deployment/update/WIP4Biz-intro.md @@ -1,74 +1,69 @@ ---- -title: Introduction to the Windows Insider Program for Business -description: Introduction to the Windows Insider Program for Business and why IT Pros should join it -keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.audience: itpro author: greg-lindsay -ms.date: 03/01/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Introduction to the Windows Insider Program for Business - - -**Applies to** - -- Windows 10 - -> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -For many IT Pros, it's valuable to have visibility into feature updates early--before they’re available in the Semi-Annual Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available. - -The Windows Insider Program for Business gives you the opportunity to: - -* Get early access to Windows Insider Preview Builds. -* Provide feedback to Microsoft in real time by using the Feedback Hub app. -* Sign in with corporate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs. -* Register your Azure Active Directory domain in the program, allowing you to cover all users within your organization with just one registration. -* Starting with Windows 10, version 1709, enable, disable, defer, and pause the installation of preview builds through policies. -* Track feedback provided through the Feedback Hub App across your organization. - -Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans, and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub App. - -The Windows Insider Program doesn't replace Semi-Annual Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. - - -[![Illustration showing the Windows Insider PreviewFast Ring for exploration, the Slow Ring for validation, the Semi-Annual Channel Targeted ring for Pilot deployment, and the Semi-Annual Channel for broad deployment](images/WIP4Biz_deployment.png)](images/WIP4Biz_deployment.png)
-Windows 10 Insider Preview builds enable organizations to prepare sooner for Windows Semi-Annual releases and reduce the overall validation effort required with traditional deployments. - - -## Explore new Windows 10 features in Insider Previews -Windows 10 Insider Preview builds offer organizations a valuable and exciting opportunity to evaluate new Windows features well before general release. What’s more, by providing feedback to Microsoft on these features, you and other Insiders in your organization can help shape Windows for your specific business needs. Here’s how to get the most out of your feature exploration: - -|Objective |Feature exploration| -|---------|---------| -|Release channel |**Fast Ring:** Insider Preview builds in the Fast Ring are released approximately once a week and contain the very latest features. This makes them ideal for feature exploration.| -|Users | Because Fast Ring builds are released so early in the development cycle, we recommend limiting feature exploration in your organization to IT administrators and developers running Insider Preview builds on secondary devices. | -|Tasks | - Install and manage Insider Preview builds on devices (per device or centrally across multiple devices)
- Explore new features in Windows designed for organizations, including new features related to current and planned line of business applications
- Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) for a summary of current features. | -|Feedback | - Provide feedback via [Feedback Hub app](insiderhub://home/). This helps us make adjustments to features as quickly as possible.
- Encourage users to sign into the Feedback Hub using their AAD work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.)
- [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/en-us/how-to-feedback/) | - -## Validate Insider Preview builds -Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. This activity can play an important role in your [Windows 10 deployment strategy](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business). Early validation has several benefits: - -- Get a head start on your Windows validation process -- Identify issues sooner to accelerate your Windows deployment -- Engage Microsoft earlier for help with potential compatibility issues -- Deploy Windows 10 Semi-Annual releases faster and more confidently -- Maximize the 18-month support Window that comes with each Semi-Annual release. - - - -|Objective |Feature exploration| -|---------|---------| -|Release channel |**Slow Ring:** Insider Preview builds in the Slow Ring are released approximately once a month. They are more stable than Fast Ring releases, making them better suited for validation purposes. Slow Ring releases can be run on either secondary or primary production devices by skilled users.| -|Users | Application and infrastructure validation: In addition to Insiders who might have participated in feature exploration, we also recommend including a small group of application users from each business department to ensure a representative sample.| -|Tasks | Application and infrastructure validation: Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) and [Windows Insider Tech Community](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram) pages for updates on current issues and fixes. | -|Feedback | Application and infrastructure validation:Provide feedback in the Feedback Hub app and also inform app vendors of any significant issues. | -|Guidance | Application and infrastructure validation:
- [Use Upgrade Readiness to create an app inventory and identify mission-critical apps](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-identify-apps)
- [Use Device Health to identify problem devices and device drivers](https://docs.microsoft.com/windows/deployment/update/device-health-monitor)
- [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793)| - +--- +title: Introduction to the Windows Insider Program for Business +description: Introduction to the Windows Insider Program for Business and why IT Pros should join +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationprioauthor: jaimeo +ms.audience: itpro +author: jaimeo +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Introduction to the Windows Insider Program for Business + +**Applies to** + +- Windows 10 + +> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +For many IT Pros, it's valuable to have visibility into feature updates early--before they’re available in the Semi-Annual Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available. + +The Windows Insider Program for Business gives you the opportunity to: + +* Get early access to Windows Insider Preview Builds. +* Provide feedback to Microsoft in real time by using the Feedback Hub app. +* Sign in with corporate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs. +* Register your Azure Active Directory domain in the program, allowing you to cover all users within your organization with just one registration. +* Starting with Windows 10, version 1709, enable, disable, defer, and pause the installation of preview builds through policies. +* Track feedback provided through the Feedback Hub App across your organization. + +Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans, and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub App. + +The Windows Insider Program doesn't replace Semi-Annual Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. + +[![Illustration showing the Windows Insider PreviewFast Ring for exploration, the Slow Ring for validation, the Semi-Annual Channel Targeted ring for Pilot deployment, and the Semi-Annual Channel for broad deployment](images/WIP4Biz_deployment.png)](images/WIP4Biz_deployment.png)
+Windows 10 Insider Preview builds enable organizations to prepare sooner for Windows Semi-Annual releases and reduce the overall validation effort required with traditional deployments. + +## Explore new Windows 10 features in Insider Previews +Windows 10 Insider Preview builds offer organizations a valuable and exciting opportunity to evaluate new Windows features well before general release. What’s more, by providing feedback to Microsoft on these features, you and other Insiders in your organization can help shape Windows for your specific business needs. Here’s how to get the most out of your feature exploration: + +|Objective |Feature exploration| +|---------|---------| +|Release channel |**Fast Ring:** Insider Preview builds in the Fast Ring are released approximately once a week and contain the very latest features. This makes them ideal for feature exploration.| +|Users | Because Fast Ring builds are released so early in the development cycle, we recommend limiting feature exploration in your organization to IT administrators and developers running Insider Preview builds on secondary devices. | +|Tasks | - Install and manage Insider Preview builds on devices (per device or centrally across multiple devices)
- Explore new features in Windows designed for organizations, including new features related to current and planned line of business applications
- Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) for a summary of current features. | +|Feedback | - Provide feedback via [Feedback Hub app](insiderhub://home/). This helps us make adjustments to features as quickly as possible.
- Encourage users to sign into the Feedback Hub using their AAD work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.)
- [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/en-us/how-to-feedback/) | + +## Validate Insider Preview builds +Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. This activity can play an important role in your [Windows 10 deployment strategy](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business). Early validation has several benefits: + +- Get a head start on your Windows validation process +- Identify issues sooner to accelerate your Windows deployment +- Engage Microsoft earlier for help with potential compatibility issues +- Deploy Windows 10 Semi-Annual releases faster and more confidently +- Maximize the 18-month support Window that comes with each Semi-Annual release. + +|Objective |Feature exploration| +|---------|---------| +|Release channel |**Slow Ring:** Insider Preview builds in the Slow Ring are released approximately once a month. They are more stable than Fast Ring releases, making them better suited for validation purposes. Slow Ring releases can be run on either secondary or primary production devices by skilled users.| +|Users | Application and infrastructure validation: In addition to Insiders who might have participated in feature exploration, we also recommend including a small group of application users from each business department to ensure a representative sample.| +|Tasks | Application and infrastructure validation: Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) and [Windows Insider Tech Community](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram) pages for updates on current issues and fixes. | +|Feedback | Application and infrastructure validation:Provide feedback in the Feedback Hub app and also inform app vendors of any significant issues. | +|Guidance | Application and infrastructure validation:
- [Use Upgrade Readiness to create an app inventory and identify mission-critical apps](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-identify-apps)
- [Use Device Health to identify problem devices and device drivers](https://docs.microsoft.com/windows/deployment/update/device-health-monitor)
- [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793)| \ No newline at end of file diff --git a/windows/deployment/update/change-history-for-update-windows-10.md b/windows/deployment/update/change-history-for-update-windows-10.md index 135d1670a5..99bb88d5a4 100644 --- a/windows/deployment/update/change-history-for-update-windows-10.md +++ b/windows/deployment/update/change-history-for-update-windows-10.md @@ -1,52 +1,52 @@ ---- -title: Change history for Update Windows 10 (Windows 10) -description: This topic lists new and updated topics in the Update Windows 10 documentation for Windows 10 and Windows 10 Mobile. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.author: greglin -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Change history for Update Windows 10 - -This topic lists new and updated topics in the [Update Windows 10](index.md) documentation for [Deploy and Update Windows 10](https://docs.microsoft.com/windows/deployment). - ->If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history). - -## September 2018 - -| New or changed topic | Description | -| --- | --- | -| [Get started with Windows Update](windows-update-overview.md) | New | - - -## RELEASE: Windows 10, version 1709 - -The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). - -## September 2017 - -| New or changed topic | Description | -| --- | --- | -| [Olympia Corp](olympia/olympia-enrollment-guidelines.md) | New | - -## July 2017 - -All topics were updated to reflect the new [naming changes](waas-overview.md#naming-changes). - -## May 2017 - -| New or changed topic | Description | -| --- | --- | -| [Manage additional Windows Update settings](waas-wu-settings.md) | New | - -## RELEASE: Windows 10, version 1703 - -The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added: -* [Windows Insider Program for Business](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-get-started) -* [Windows Insider Program for Business](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-register) +--- +title: Change history for Update Windows 10 (Windows 10) +description: This topic lists new and updated topics in the Update Windows 10 documentation for Windows 10 and Windows 10 Mobile. +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Change history for Update Windows 10 + +This topic lists new and updated topics in the [Update Windows 10](index.md) documentation for [Deploy and Update Windows 10](https://docs.microsoft.com/windows/deployment). + +>If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history). + +## September 2018 + +| New or changed topic | Description | +| --- | --- | +| [Get started with Windows Update](windows-update-overview.md) | New | + + +## RELEASE: Windows 10, version 1709 + +The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). + +## September 2017 + +| New or changed topic | Description | +| --- | --- | +| [Olympia Corp](olympia/olympia-enrollment-guidelines.md) | New | + +## July 2017 + +All topics were updated to reflect the new [naming changes](waas-overview.md#naming-changes). + +## May 2017 + +| New or changed topic | Description | +| --- | --- | +| [Manage additional Windows Update settings](waas-wu-settings.md) | New | + +## RELEASE: Windows 10, version 1703 + +The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added: +* [Windows Insider Program for Business](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-get-started) +* [Windows Insider Program for Business](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-register) diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md index 23a56637e9..a7386012df 100644 --- a/windows/deployment/update/device-health-get-started.md +++ b/windows/deployment/update/device-health-get-started.md @@ -4,7 +4,6 @@ description: Configure Device Health in Azure Monitor to monitor health (such as keywords: Device Health, oms, operations management suite, prerequisites, requirements, monitoring, crash, drivers, azure ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library ms.reviewer: manager: laurawi ms.pagetype: deploy diff --git a/windows/deployment/update/device-health-monitor.md b/windows/deployment/update/device-health-monitor.md index a87d7b2ed5..49b2c735d9 100644 --- a/windows/deployment/update/device-health-monitor.md +++ b/windows/deployment/update/device-health-monitor.md @@ -6,7 +6,7 @@ description: You can use Device Health in Azure Portal to monitor the frequency keywords: oms, operations management suite, wdav, health, log analytics ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library + ms.localizationpriority: medium ms.pagetype: deploy audience: itpro diff --git a/windows/deployment/update/device-health-using.md b/windows/deployment/update/device-health-using.md index 40bc6d5423..8ca94aa1a8 100644 --- a/windows/deployment/update/device-health-using.md +++ b/windows/deployment/update/device-health-using.md @@ -6,7 +6,7 @@ description: Explains how to begin using Device Health. ms.prod: w10 ms.mktglfcycl: deploy keywords: oms, operations management suite, wdav, health, log analytics -ms.sitesec: library + ms.pagetype: deploy author: jaimeo ms.author: jaimeo diff --git a/windows/deployment/update/feature-update-conclusion.md b/windows/deployment/update/feature-update-conclusion.md index 7cd119e52b..5c72afc8c0 100644 --- a/windows/deployment/update/feature-update-conclusion.md +++ b/windows/deployment/update/feature-update-conclusion.md @@ -1,24 +1,24 @@ ---- -title: Best practices for feature updates - conclusion -description: Final thoughts about how to deploy feature updates -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 07/09/2018 -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Conclusion - -**Applies to**: Windows 10 - -Mission critical devices that need to be online 24x7 pose unique challenges for the IT Pro looking to stay current with the latest Windows 10 feature update. Because these devices are online continually, providing mission critical services, with only a small window of time available to apply feature updates, specific procedures are required to effectively keep these devices current, with as little downtime as possible. - -Whether you have defined servicing windows at your disposal where feature updates can be installed automatically, or you require user initiated installs by a technician, this whitepaper provides guidelines for either approach. Improvements are continually being made to Windows 10 setup to reduce device offline time for feature updates. This whitepaper will be updated as enhancements become available to improve the overall servicing approach and experience. - +--- +title: Best practices for feature updates - conclusion +description: Final thoughts about how to deploy feature updates +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Conclusion + +**Applies to**: Windows 10 + +Mission critical devices that need to be online 24x7 pose unique challenges for the IT Pro looking to stay current with the latest Windows 10 feature update. Because these devices are online continually, providing mission critical services, with only a small window of time available to apply feature updates, specific procedures are required to effectively keep these devices current, with as little downtime as possible. + +Whether you have defined servicing windows at your disposal where feature updates can be installed automatically, or you require user initiated installs by a technician, this whitepaper provides guidelines for either approach. Improvements are continually being made to Windows 10 setup to reduce device offline time for feature updates. This whitepaper will be updated as enhancements become available to improve the overall servicing approach and experience. + diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index 0fbe54bae5..6d53e1e602 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -1,261 +1,262 @@ ---- -title: Best practices - deploy feature updates during maintenance windows -description: Learn how to deploy feature updates during a maintenance window -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 07/09/2018 -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Deploy feature updates during maintenance windows - -**Applies to**: Windows 10 - -Use the following information to deploy feature updates during a maintenance window. - -## Get ready to deploy feature updates - -### Step 1: Configure maintenance windows - -1. In the Configuration Manager console, choose **Assets and Compliance> Device Collections**. -2. In the **Device Collections** list, select the collection for which you intended to deploy the feature update(s). -3. On the **Home** tab, in the **Properties** group, choose **Properties**. -4. In the **Maintenance Windows** tab of the `` Properties dialog box, choose the New icon. -5. Complete the `` Schedule dialog. -6. Select from the Apply this schedule to drop-down list. -7. Choose **OK** and then close the **\ Properties** dialog box. - -### Step 2: Review computer restart device settings - -If you’re not suppressing computer restarts and the feature update will be installed when no users are present, consider deploying a custom client settings policy to your feature update target collection to shorten the settings below or consider the total duration of these settings when defining your maintenance window duration. - -For example, by default, 90 minutes will be honored before the system is rebooted after the feature update install. If users will not be impacted by the user logoff or restart, there is no need to wait a full 90 minutes before rebooting the computer. If a delay and notification is needed, ensure that the maintenance window takes this into account along with the total time needed to install the feature update. - ->[!NOTE] -> The following settings must be shorter in duration than the shortest maintenance window applied to the computer. ->- **Display a temporary notification to the user that indicates the interval before the user is logged off or the computer restarts (minutes).** ->- **Display a dialog box that the user cannot close, which displays the countdown interval before the user is logged off or the computer restarts (minutes).** - -### Step 3: Enable Peer Cache - -Use **Peer Cache** to help manage deployment of content to clients in remote locations. Peer Cache is a built-in Configuration Manager solution that enables clients to share content with other clients directly from their local cache. - -[Enable Configuration Manager client in full OS to share content](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update). - -### Step 4: Override the default Windows setup priority (Windows 10, version 1709 and later) - -If you’re deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. - -%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini - -``` -[SetupConfig] -Priority=Normal -``` - -You can use the new [Run Scripts](https://docs.microsoft.com/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices. - -``` -#Parameters -Param( - [string] $PriorityValue = "Normal" - ) - -#Variable for ini file path -$iniFilePath = "$env:SystemDrive\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini" - -#Variables for SetupConfig -$iniSetupConfigSlogan = "[SetupConfig]" -$iniSetupConfigKeyValuePair =@{"Priority"=$PriorityValue;} - -#Init SetupConfig content -$iniSetupConfigContent = @" -$iniSetupConfigSlogan -"@ - -#Build SetupConfig content with settings -foreach ($k in $iniSetupConfigKeyValuePair.Keys) -{ - $val = $iniSetupConfigKeyValuePair[$k] - - $iniSetupConfigContent = $iniSetupConfigContent.Insert($iniSetupConfigContent.Length, "`r`n$k=$val") -} - -#Write content to file -New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force - -Disclaimer -Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is -provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without -limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk -arising out of the use or performance of the sample script and documentation remains with you. In no event shall -Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable -for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, -loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script -or documentation, even if Microsoft has been advised of the possibility of such damages. -``` - ->[!NOTE] ->If you elect not to override the default setup priority, you will need to increase the [maximum run time](https://docs.microsoft.com/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. - -## Manually deploy feature updates - -The following sections provide the steps to manually deploy a feature update. - -### Step 1: Specify search criteria for feature updates -There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy. - -1. In the Configuration Manager console, click **Software Library**. -2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. -3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps: - - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. - - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, Required is greater than or equal to 1, and Language equals English. - -4. Save the search for future use. - -### Step 2: Download the content for the feature update(s) -Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. - -1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. -2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select Download. - - The **Download Software Updates Wizard** opens. -3. On the **Deployment Package** page, configure the following settings: - **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: - - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. - - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. - - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. - - >[!NOTE] - >The deployment package source location that you specify cannot be used by another software deployment package. - - >[!IMPORTANT] - >The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. - - >[!IMPORTANT] - >You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. - - Click **Next**. -4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](https://docs.microsoft.com/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). - - >[!NOTE] - >The Distribution Points page is available only when you create a new software update deployment package. -5. On the **Distribution Settings** page, specify the following settings: - - - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. - - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). - - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: - - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. - - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. - - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. - - For more information about prestaging content to distribution points, see [Use Prestaged content](https://docs.microsoft.com/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). - Click **Next**. -6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: - - - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting. - - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. - - >[!NOTE] - >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. - - Click **Next**. -7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. -8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. -9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close. - -#### To monitor content status -1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. -2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. -3. Select the feature update package that you previously identified to download the feature updates. -4. On the **Home** tab, in the Content group, click **View Status**. - -### Step 3: Deploy the feature update(s) -After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). - -1. In the Configuration Manager console, click **Software Library**. -2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. -3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**. - - The **Deploy Software Updates Wizard** opens. -4. On the General page, configure the following settings: - - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** - - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. - - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. - - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. - - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. -5. On the Deployment Settings page, configure the following settings: - - - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. - - >[!IMPORTANT] - > After you create the software update deployment, you cannot later change the type of deployment. - - >[!NOTE] - >A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured. - - - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. - - >[!WARNING] - >Before you can use this option, computers and networks must be configured for Wake On LAN. - - - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. -6. On the Scheduling page, configure the following settings: - - - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. - - >[!NOTE] - >When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. - - - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients: - - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. - - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. - - >[!NOTE] - >You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. - - - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. - - >[!NOTE] - >The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#computer-agent). -7. On the User Experience page, configure the following settings: - - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. - - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). - - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. - - >[!IMPORTANT] - >Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. - - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. - - >[!NOTE] - >When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. - - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. -8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. - - >[!NOTE] - >You can review recent software updates alerts from the Software Updates node in the Software Library workspace. -9. On the Download Settings page, configure the following settings: - - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. - - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. - - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). - - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content. - - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. - - >[!NOTE] - >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). -10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. -11. Click **Next** to deploy the feature update(s). - -### Step 4: Monitor the deployment status -After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status: - -1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. -2. Click the software update group or software update for which you want to monitor the deployment status. -3. On the **Home** tab, in the **Deployment** group, click **View Status**. +--- +title: Best practices - deploy feature updates during maintenance windows +description: Learn how to deploy feature updates during a maintenance window +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.date: 07/09/2018 +ms.reviewer: +manager: laurawi +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Deploy feature updates during maintenance windows + +**Applies to**: Windows 10 + +Use the following information to deploy feature updates during a maintenance window. + +## Get ready to deploy feature updates + +### Step 1: Configure maintenance windows + +1. In the Configuration Manager console, choose **Assets and Compliance> Device Collections**. +2. In the **Device Collections** list, select the collection for which you intended to deploy the feature update(s). +3. On the **Home** tab, in the **Properties** group, choose **Properties**. +4. In the **Maintenance Windows** tab of the `` Properties dialog box, choose the New icon. +5. Complete the `` Schedule dialog. +6. Select from the Apply this schedule to drop-down list. +7. Choose **OK** and then close the **\ Properties** dialog box. + +### Step 2: Review computer restart device settings + +If you’re not suppressing computer restarts and the feature update will be installed when no users are present, consider deploying a custom client settings policy to your feature update target collection to shorten the settings below or consider the total duration of these settings when defining your maintenance window duration. + +For example, by default, 90 minutes will be honored before the system is rebooted after the feature update install. If users will not be impacted by the user logoff or restart, there is no need to wait a full 90 minutes before rebooting the computer. If a delay and notification is needed, ensure that the maintenance window takes this into account along with the total time needed to install the feature update. + +>[!NOTE] +> The following settings must be shorter in duration than the shortest maintenance window applied to the computer. +>- **Display a temporary notification to the user that indicates the interval before the user is logged off or the computer restarts (minutes).** +>- **Display a dialog box that the user cannot close, which displays the countdown interval before the user is logged off or the computer restarts (minutes).** + +### Step 3: Enable Peer Cache + +Use **Peer Cache** to help manage deployment of content to clients in remote locations. Peer Cache is a built-in Configuration Manager solution that enables clients to share content with other clients directly from their local cache. + +[Enable Configuration Manager client in full OS to share content](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update). + +### Step 4: Override the default Windows setup priority (Windows 10, version 1709 and later) + +If you’re deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. + +%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini + +``` +[SetupConfig] +Priority=Normal +``` + +You can use the new [Run Scripts](https://docs.microsoft.com/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices. + +``` +#Parameters +Param( + [string] $PriorityValue = "Normal" + ) + +#Variable for ini file path +$iniFilePath = "$env:SystemDrive\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini" + +#Variables for SetupConfig +$iniSetupConfigSlogan = "[SetupConfig]" +$iniSetupConfigKeyValuePair =@{"Priority"=$PriorityValue;} + +#Init SetupConfig content +$iniSetupConfigContent = @" +$iniSetupConfigSlogan +"@ + +#Build SetupConfig content with settings +foreach ($k in $iniSetupConfigKeyValuePair.Keys) +{ + $val = $iniSetupConfigKeyValuePair[$k] + + $iniSetupConfigContent = $iniSetupConfigContent.Insert($iniSetupConfigContent.Length, "`r`n$k=$val") +} + +#Write content to file +New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force + +Disclaimer +Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is +provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without +limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk +arising out of the use or performance of the sample script and documentation remains with you. In no event shall +Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable +for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, +loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script +or documentation, even if Microsoft has been advised of the possibility of such damages. +``` + +>[!NOTE] +>If you elect not to override the default setup priority, you will need to increase the [maximum run time](https://docs.microsoft.com/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. + +## Manually deploy feature updates + +The following sections provide the steps to manually deploy a feature update. + +### Step 1: Specify search criteria for feature updates +There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy. + +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. +3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps: + - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. + - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, Required is greater than or equal to 1, and Language equals English. + +4. Save the search for future use. + +### Step 2: Download the content for the feature update(s) +Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. + +1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. +2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select Download. + + The **Download Software Updates Wizard** opens. +3. On the **Deployment Package** page, configure the following settings: + **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: + - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. + - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. + - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. + + >[!NOTE] + >The deployment package source location that you specify cannot be used by another software deployment package. + + >[!IMPORTANT] + >The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. + + >[!IMPORTANT] + >You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. + + Click **Next**. +4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](https://docs.microsoft.com/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). + + >[!NOTE] + >The Distribution Points page is available only when you create a new software update deployment package. +5. On the **Distribution Settings** page, specify the following settings: + + - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. + - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). + - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: + - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. + - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. + - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. + + For more information about prestaging content to distribution points, see [Use Prestaged content](https://docs.microsoft.com/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). + Click **Next**. +6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: + + - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting. + - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. + + >[!NOTE] + >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. + + Click **Next**. +7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. +8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. +9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close. + +#### To monitor content status +1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. +2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. +3. Select the feature update package that you previously identified to download the feature updates. +4. On the **Home** tab, in the Content group, click **View Status**. + +### Step 3: Deploy the feature update(s) +After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). + +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. +3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**. + + The **Deploy Software Updates Wizard** opens. +4. On the General page, configure the following settings: + - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** + - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. + - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. + - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. + - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. +5. On the Deployment Settings page, configure the following settings: + + - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. + + >[!IMPORTANT] + > After you create the software update deployment, you cannot later change the type of deployment. + + >[!NOTE] + >A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured. + + - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. + + >[!WARNING] + >Before you can use this option, computers and networks must be configured for Wake On LAN. + + - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. +6. On the Scheduling page, configure the following settings: + + - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. + + >[!NOTE] + >When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. + + - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients: + - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. + - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. + + >[!NOTE] + >You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. + + - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. + + >[!NOTE] + >The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#computer-agent). +7. On the User Experience page, configure the following settings: + - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. + - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). + - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. + + >[!IMPORTANT] + >Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. + - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. + + >[!NOTE] + >When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. + - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. +8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. + + >[!NOTE] + >You can review recent software updates alerts from the Software Updates node in the Software Library workspace. +9. On the Download Settings page, configure the following settings: + - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. + - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. + - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). + - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content. + - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. + + >[!NOTE] + >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). +10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. +11. Click **Next** to deploy the feature update(s). + +### Step 4: Monitor the deployment status +After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status: + +1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. +2. Click the software update group or software update for which you want to monitor the deployment status. +3. On the **Home** tab, in the **Deployment** group, click **View Status**. diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md index 61469bed82..37ed550405 100644 --- a/windows/deployment/update/feature-update-mission-critical.md +++ b/windows/deployment/update/feature-update-mission-critical.md @@ -1,43 +1,44 @@ ---- -title: Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices -description: Learn how to deploy feature updates to your mission critical devices -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 07/10/2018 -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices - -**Applies to**: Windows 10 - -Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren’t the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the System Center Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. - -For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, please see [Using Windows 10 servicing plans to deploy Windows 10 feature updates](waas-manage-updates-configuration-manager.md#use-windows-10-servicing-plans-to-deploy-windows-10-feature-updates). - -Devices and shared workstations that are online and available 24 hours a day, 7 days a week, can be serviced via one of two primary methods: - -- **Service during maintenance windows** – Devices that have established maintenance windows will need to have feature updates scheduled to fit within these windows. -- **Service only when manually initiated** – Devices that need physical verification of the availability to update will need to have updates manually initiated by a technician. - -You can use Configuration Manager to deploy feature updates to Windows 10 devices in two ways. The first option is to use the software updates feature. The second option is to use a task sequence to deploy feature updates. There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example: - -- **Upgrade to the next LTSC release.** With the LTSC servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade. -- **Additional required tasks.** When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments. -- **Language pack installs.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs. - -If you need to leverage a task sequence to deploy feature updates, please see [Using a task sequence to deploy Windows 10 updates](waas-manage-updates-configuration-manager.md#use-a-task-sequence-to-deploy-windows-10-updates) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks preformed pre-install or pre-commit, please see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You may be able to leverage this functionality with the software updates deployment method. - -Use the following information: - - -- [Deploy feature updates during maintenance windows](feature-update-maintenance-window.md) -- [Deploy feature updates for user-initiated installations](feature-update-user-install.md) -- [Conclusion](feature-update-conclusion.md) +--- +title: Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices +description: Learn how to deploy feature updates to your mission critical devices +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.date: 07/10/2018 +ms.reviewer: +manager: laurawi +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices + +**Applies to**: Windows 10 + +Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren’t the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the System Center Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. + +For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, please see [Using Windows 10 servicing plans to deploy Windows 10 feature updates](waas-manage-updates-configuration-manager.md#use-windows-10-servicing-plans-to-deploy-windows-10-feature-updates). + +Devices and shared workstations that are online and available 24 hours a day, 7 days a week, can be serviced via one of two primary methods: + +- **Service during maintenance windows** – Devices that have established maintenance windows will need to have feature updates scheduled to fit within these windows. +- **Service only when manually initiated** – Devices that need physical verification of the availability to update will need to have updates manually initiated by a technician. + +You can use Configuration Manager to deploy feature updates to Windows 10 devices in two ways. The first option is to use the software updates feature. The second option is to use a task sequence to deploy feature updates. There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example: + +- **Upgrade to the next LTSC release.** With the LTSC servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade. +- **Additional required tasks.** When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments. +- **Language pack installs.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs. + +If you need to leverage a task sequence to deploy feature updates, please see [Using a task sequence to deploy Windows 10 updates](waas-manage-updates-configuration-manager.md#use-a-task-sequence-to-deploy-windows-10-updates) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks preformed pre-install or pre-commit, please see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You may be able to leverage this functionality with the software updates deployment method. + +Use the following information: + + +- [Deploy feature updates during maintenance windows](feature-update-maintenance-window.md) +- [Deploy feature updates for user-initiated installations](feature-update-user-install.md) +- [Conclusion](feature-update-conclusion.md) diff --git a/windows/deployment/update/feature-update-user-install.md b/windows/deployment/update/feature-update-user-install.md index 8b7e286eab..e22be01edd 100644 --- a/windows/deployment/update/feature-update-user-install.md +++ b/windows/deployment/update/feature-update-user-install.md @@ -3,11 +3,10 @@ title: Best practices - deploy feature updates for user-initiated installations description: Learn how to manually deploy feature updates ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library audience: itpro -author: greg-lindsay +author: jaimeo ms.localizationpriority: medium -ms.author: greglin +ms.author: jaimeo ms.date: 07/10/2018 ms.reviewer: manager: laurawi diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md index 8e8e208b29..9dbe7740b3 100644 --- a/windows/deployment/update/fod-and-lang-packs.md +++ b/windows/deployment/update/fod-and-lang-packs.md @@ -3,11 +3,11 @@ title: Windows 10 - How to make FoD and language packs available when you're usi description: Learn how to make FoD and language packs available when you're using WSUS/SCCM ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library + ms.pagetype: article -ms.author: greglin +ms.author: jaimeo audience: itpro -author: greg-lindsay +author: jaimeo ms.localizationpriority: medium ms.date: 03/13/2019 ms.reviewer: diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md index e71e615d1f..1103564dea 100644 --- a/windows/deployment/update/how-windows-update-works.md +++ b/windows/deployment/update/how-windows-update-works.md @@ -1,146 +1,146 @@ ---- -title: How Windows Update works -description: Learn how Windows Update works, including architecture and troubleshooting -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# How does Windows Update work? - -> Applies to: Windows 10 - -The Windows Update workflow has four core areas of functionality: - -### Scan - -1. Orchestrator schedules the scan. -2. Orchestrator verifies admin approvals and policies for download. - - -### Download -1. Orchestrator initiates downloads. -2. Windows Update downloads manifest files and provides them to the arbiter. -3. The arbiter evaluates the manifest and tells the Windows Update client to download files. -4. Windows Update client downloads files in a temporary folder. -5. The arbiter stages the downloaded files. - - -### Install -1. Orchestrator initiates the installation. -2. The arbiter calls the installer to install the package. - - -### Commit -1. Orchestrator initiates a restart. -2. The arbiter finalizes before the restart. - - -## How updating works -During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does this automatically, according to your settings, and in a silent manner that doesn’t disrupt your computer usage. - -## Scanning updates -![Windows Update scanning step](images/update-scan-step.png) - -The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn't overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently. - -When checking for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your computer using guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies. - -Make sure you're familiar with the following terminology related to Windows Update scan: - -|Term|Definition| -|----|----------| -|Update|We use this term to mean a lot of different things, but in this context it's the actual patch or change.| -|Bundle update|An update that contains 1-N child updates; doesn't contain payload itself.| -|Child update|Leaf update that's bundled by another update; contains payload.| -|Detectoid update|A special 'update' that contains "IsInstalled" applicability rule only and no payload. Used for prereq evaluation.| -|Category update|A special 'detectoid' that has always true IsInstalled rule. Used for grouping updates and for client to filter updates. | -|Full scan|Scan with empty datastore.| -|Delta scan|Scan with updates from previous scan already cached in datastore.| -|Online scan|Scan that hits network and goes against server on cloud. | -|Offline scan|Scan that doesn't hit network and goes against local datastore. Only useful if online scan has been performed before. | -|CatScan|Category scan where caller can specify a categoryId to get updates published under the categoryId.| -|AppCatScan|Category scan where caller can specify an AppCategoryId to get apps published under the appCategoryId.| -|Software sync|Part of the scan that looks at software updates only (OS and apps).| -|Driver sync|Part of the scan that looks at Driver updates only. This is run after Software sync and is optional.| -|ProductSync|Attributes based sync, where client provides a list of device, product and caller attributes ahead of time to allow service to evaluate applicability in the cloud. | - -### How Windows Update scanning works - -Windows Update takes the following sets of actions when it runs a scan. - -#### Starts the scan for updates -When users start scanning in Windows Update through the Settings panel, the following occurs: - -- The scan first generates a “ComApi” message. The caller (Windows Defender Antivirus) tells the WU engine to scan for updates. -- "Agent" messages: queueing the scan, then actually starting the work: - - Updates are identified by the different IDs ("Id = 10", "Id = 11") and from the different thread ID numbers. - - Windows Update uses the thread ID filtering to concentrate on one particular task. - - ![Windows Update scan log 1](images/update-scan-log-1.png) - -#### Identifies service IDs - -- Service IDs indicate which update source is being scanned. - Note The next screen shot shows Microsoft Update and the Flighting service. - -- The Windows Update engine treats every service as a separate entity, even though multiple services may contain the same updates. - ![Windows Update scan log 2](images/update-scan-log-2.png) -- Common service IDs - - > [!IMPORTANT] - > ServiceId here identifies a client abstraction, not any specific service in the cloud. No assumption should be made of which server a serviceId is pointing to, it's totally controlled by the SLS responses. - -|Service|ServiceId| -|-------|---------| -|Unspecified / Default|WU, MU or WSUS
00000000-0000-0000-0000-000000000000 | -|WU|9482F4B4-E343-43B6-B170-9A65BC822C77| -|MU|7971f918-a847-4430-9279-4a52d1efe18d| -|Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289| -|OS Flighting|8B24B027-1DEE-BABB-9A95-3517DFB9C552| -|WSUS or SCCM|Via ServerSelection::ssManagedServer
3DA21691-E39D-4da6-8A4B-B43877BCB1B7 | -|Offline scan service|Via IUpdateServiceManager::AddScanPackageService| - -#### Finds network faults -Common update failure is caused due to network issues. To find the root of the issue: - -- Look for "ProtocolTalker" messages to see client-server sync network traffic. -- "SOAP faults" can be either client- or server-side issues; read the message. -- The WU client uses SLS (Service Locator Service) to discover the configurations and endpoints of Microsoft network update sources – WU, MU, Flighting. - - > [!NOTE] - > Warning messages for SLS can be ignored if the search is against WSUS/SCCM. - -- On sites that only use WSUS/SCCM, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can’t scan against Windows Update or Microsoft Update but can still scan against WSUS/SCCM, since it’s locally configured. - ![Windows Update scan log 3](images/update-scan-log-3.png) - -## Downloading updates -![Windows Update download step](images/update-download-step.png) - -Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does this in the background without interrupting your normal use of the computer. - -To ensure that your other downloads aren’t affected or slowed down because updates are downloading, Windows Update uses the Delivery Optimization (DO) technology which downloads updates and reduces bandwidth consumption. - -For more information see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). - -## Installing updates -![Windows Update install step](images/update-install-step.png) - -When an update is applicable, the "Arbiter" and metadata are downloaded. Depending on your Windows Update settings, when downloading is complete, the Arbiter will gather details from the device, and compare that with the downloaded metadata to create an "action list". - -The action list describes all the files needed from WU, and what the install agent (such as CBS or Setup) should do with them. The action list is provided to the install agent along with the payload to begin the installation. - -## Committing Updates -![Windows Update commit step](images/update-commit-step.png) - -When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the PC for you after installing the updates. This is necessary because your PC may be insecure, or not fully updated, until a restart is completed. You can use Group Policy settings, mobile device management (MDM), or the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. - -For more information see [Manage device restarts after updates](waas-restart.md). +--- +title: How Windows Update works +description: Learn how Windows Update works, including architecture and troubleshooting +ms.prod: w10 +ms.mktglfcycl: +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# How does Windows Update work? + +> Applies to: Windows 10 + +The Windows Update workflow has four core areas of functionality: + +### Scan + +1. Orchestrator schedules the scan. +2. Orchestrator verifies admin approvals and policies for download. + + +### Download +1. Orchestrator initiates downloads. +2. Windows Update downloads manifest files and provides them to the arbiter. +3. The arbiter evaluates the manifest and tells the Windows Update client to download files. +4. Windows Update client downloads files in a temporary folder. +5. The arbiter stages the downloaded files. + + +### Install +1. Orchestrator initiates the installation. +2. The arbiter calls the installer to install the package. + + +### Commit +1. Orchestrator initiates a restart. +2. The arbiter finalizes before the restart. + + +## How updating works +During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does this automatically, according to your settings, and in a silent manner that doesn’t disrupt your computer usage. + +## Scanning updates +![Windows Update scanning step](images/update-scan-step.png) + +The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn't overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently. + +When checking for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your computer using guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies. + +Make sure you're familiar with the following terminology related to Windows Update scan: + +|Term|Definition| +|----|----------| +|Update|We use this term to mean a lot of different things, but in this context it's the actual patch or change.| +|Bundle update|An update that contains 1-N child updates; doesn't contain payload itself.| +|Child update|Leaf update that's bundled by another update; contains payload.| +|Detectoid update|A special 'update' that contains "IsInstalled" applicability rule only and no payload. Used for prereq evaluation.| +|Category update|A special 'detectoid' that has always true IsInstalled rule. Used for grouping updates and for client to filter updates. | +|Full scan|Scan with empty datastore.| +|Delta scan|Scan with updates from previous scan already cached in datastore.| +|Online scan|Scan that hits network and goes against server on cloud. | +|Offline scan|Scan that doesn't hit network and goes against local datastore. Only useful if online scan has been performed before. | +|CatScan|Category scan where caller can specify a categoryId to get updates published under the categoryId.| +|AppCatScan|Category scan where caller can specify an AppCategoryId to get apps published under the appCategoryId.| +|Software sync|Part of the scan that looks at software updates only (OS and apps).| +|Driver sync|Part of the scan that looks at Driver updates only. This is run after Software sync and is optional.| +|ProductSync|Attributes based sync, where client provides a list of device, product and caller attributes ahead of time to allow service to evaluate applicability in the cloud. | + +### How Windows Update scanning works + +Windows Update takes the following sets of actions when it runs a scan. + +#### Starts the scan for updates +When users start scanning in Windows Update through the Settings panel, the following occurs: + +- The scan first generates a “ComApi” message. The caller (Windows Defender Antivirus) tells the WU engine to scan for updates. +- "Agent" messages: queueing the scan, then actually starting the work: + - Updates are identified by the different IDs ("Id = 10", "Id = 11") and from the different thread ID numbers. + - Windows Update uses the thread ID filtering to concentrate on one particular task. + + ![Windows Update scan log 1](images/update-scan-log-1.png) + +#### Identifies service IDs + +- Service IDs indicate which update source is being scanned. + Note The next screen shot shows Microsoft Update and the Flighting service. + +- The Windows Update engine treats every service as a separate entity, even though multiple services may contain the same updates. + ![Windows Update scan log 2](images/update-scan-log-2.png) +- Common service IDs + + > [!IMPORTANT] + > ServiceId here identifies a client abstraction, not any specific service in the cloud. No assumption should be made of which server a serviceId is pointing to, it's totally controlled by the SLS responses. + +|Service|ServiceId| +|-------|---------| +|Unspecified / Default|WU, MU or WSUS
00000000-0000-0000-0000-000000000000 | +|WU|9482F4B4-E343-43B6-B170-9A65BC822C77| +|MU|7971f918-a847-4430-9279-4a52d1efe18d| +|Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289| +|OS Flighting|8B24B027-1DEE-BABB-9A95-3517DFB9C552| +|WSUS or SCCM|Via ServerSelection::ssManagedServer
3DA21691-E39D-4da6-8A4B-B43877BCB1B7 | +|Offline scan service|Via IUpdateServiceManager::AddScanPackageService| + +#### Finds network faults +Common update failure is caused due to network issues. To find the root of the issue: + +- Look for "ProtocolTalker" messages to see client-server sync network traffic. +- "SOAP faults" can be either client- or server-side issues; read the message. +- The WU client uses SLS (Service Locator Service) to discover the configurations and endpoints of Microsoft network update sources – WU, MU, Flighting. + + > [!NOTE] + > Warning messages for SLS can be ignored if the search is against WSUS/SCCM. + +- On sites that only use WSUS/SCCM, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can’t scan against Windows Update or Microsoft Update but can still scan against WSUS/SCCM, since it’s locally configured. + ![Windows Update scan log 3](images/update-scan-log-3.png) + +## Downloading updates +![Windows Update download step](images/update-download-step.png) + +Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does this in the background without interrupting your normal use of the computer. + +To ensure that your other downloads aren’t affected or slowed down because updates are downloading, Windows Update uses the Delivery Optimization (DO) technology which downloads updates and reduces bandwidth consumption. + +For more information see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). + +## Installing updates +![Windows Update install step](images/update-install-step.png) + +When an update is applicable, the "Arbiter" and metadata are downloaded. Depending on your Windows Update settings, when downloading is complete, the Arbiter will gather details from the device, and compare that with the downloaded metadata to create an "action list". + +The action list describes all the files needed from WU, and what the install agent (such as CBS or Setup) should do with them. The action list is provided to the install agent along with the payload to begin the installation. + +## Committing Updates +![Windows Update commit step](images/update-commit-step.png) + +When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the PC for you after installing the updates. This is necessary because your PC may be insecure, or not fully updated, until a restart is completed. You can use Group Policy settings, mobile device management (MDM), or the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. + +For more information see [Manage device restarts after updates](waas-restart.md). diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md index 9c45228695..d08ff458c4 100644 --- a/windows/deployment/update/index.md +++ b/windows/deployment/update/index.md @@ -3,8 +3,7 @@ title: Update Windows 10 in enterprise deployments (Windows 10) description: Windows as a service provides an all-new way to think about building, deploying, and servicing Windows 10. ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library -author: Jaimeo +author: jaimeo manager: laurawi ms.localizationpriority: high ms.author: jaimeo diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md index 4f38f8583c..396ef254fd 100644 --- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md +++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md @@ -1,131 +1,133 @@ ---- -title: Olympia Corp enrollment guidelines -description: Olympia Corp enrollment guidelines -ms.author: greglin -ms.topic: article -ms.prod: w10 -ms.technology: windows -audience: itpro author: greg-lindsay -ms.reviewer: -manager: laurawi -keywords: insider, trial, enterprise, lab, corporation, test ---- - -# Olympia Corp - -## What is Windows Insider Lab for Enterprise and Olympia Corp? - -Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release enterprise privacy and security features. To get the complete experience of these enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features. - -As an Olympia user, you will have an opportunity to: - -- Use various enterprise features like Windows Information Protection (WIP), Advanced Threat Protection (ATP), windows Defender Application Guard (WDAG), and Application Virtualization (APP-V). -- Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness. -- Validate and test pre-release software in your environment. -- Provide feedback. -- Interact with engineering team members through a variety of communication channels. - ->[!Note] ->Enterprise features might have reduced or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the enterprise features at any time without notice. - -For more information about Olympia Corp, see [https://olympia.windows.com/Info/FAQ](https://olympia.windows.com/Info/FAQ). - -To request an Olympia Corp account, fill out the survey at [https://aka.ms/RegisterOlympia](https://aka.ms/RegisterOlympia). - -## Enrollment guidelines - -Welcome to Olympia Corp. Here are the steps needed to enroll. - -As part of Windows Insider Lab for Enterprise, you can upgrade to Windows 10 Enterprise from Windows 10 Pro. This upgrade is optional. Since certain features such as Windows Defender Application Guard are only available on Windows 10 Enterprise, we recommend you to upgrade. - -Choose one of the following two enrollment options: - -- To set up an AAD-registered device, [follow these steps](#enrollment-keep-current-edition). In this case, you log onto the device by using an existing (non-Olympia) account. - -- If you are running Windows 10 Pro, we recommend that you upgrade to Windows 10 Enterprise by following these steps to [set up an Azure Active Directory-joined device](#enrollment-upgrade-to-enterprise). In this case, you will be able to log on to the device with your Olympia account. - - - -### Set up an Azure Active Directory-REGISTERED Windows 10 device - -This is the Bring Your Own Device (BYOD) method--your device will receive Olympia policies and features, but a new account will not be created. See [Set up Azure Active Directory registered Windows 10 devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-registered-devices-windows10-setup) for additional information. - -1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). - - ![Settings -> Accounts](images/1-1.png) - -2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**. - -3. Click **Connect** and enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**. - - ![Set up a work or school account](images/1-3.png) - -4. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password. - - > [!NOTE] - > Passwords should contain 8-16 characters, including at least one special character or number. - - ![Update your password](images/1-4.png) - -5. Read the **Terms and Conditions**. Click **Accept** to participate in the program. - -6. If this is the first time you are logging in, fill in the additional information to help you retrieve your account details. - -7. Create a PIN for signing into your Olympia corporate account. - -8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**. - - > [!NOTE] - > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). - -9. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. - - - -### Set up Azure Active Directory-JOINED Windows 10 device - -- This method will upgrade your Windows 10 Pro license to Enterprise and create a new account. See [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup) for more information. - -1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). - - ![Settings -> Accounts](images/1-1.png) - -2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**. - -3. Click **Connect**, then click **Join this device to Azure Active Directory**. - - ![Update your password](images/2-3.png) - -4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**. - - ![Set up a work or school account](images/2-4.png) - -5. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password. - - > [!NOTE] - > Passwords should contain 8-16 characters, including at least one special character or number. - - ![Update your password](images/2-5.png) - -6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. - -7. If this is the first time you are signing in, fill in the additional information to help you retrieve your account details. - -8. Create a PIN for signing into your Olympia corporate account. - -9. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. - -10. Restart your device. - -11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your device will upgrade to Windows 10 Enterprise. - -12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**. - - > [!NOTE] - > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). - -13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. - ->[!NOTE] -> Your Windows 10 Enterprise license will not be renewed if your device is not connected to Olympia. - +--- +title: Olympia Corp enrollment guidelines +description: Olympia Corp enrollment guidelines +ms.author: jaimeo +ms.topic: article +ms.prod: w10 +ms.technology: windows +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.reviewer: +manager: laurawi +keywords: insider, trial, enterprise, lab, corporation, test +--- + +# Olympia Corp + +## What is Windows Insider Lab for Enterprise and Olympia Corp? + +Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release enterprise privacy and security features. To get the complete experience of these enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features. + +As an Olympia user, you will have an opportunity to: + +- Use various enterprise features like Windows Information Protection (WIP), Advanced Threat Protection (ATP), windows Defender Application Guard (WDAG), and Application Virtualization (APP-V). +- Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness. +- Validate and test pre-release software in your environment. +- Provide feedback. +- Interact with engineering team members through a variety of communication channels. + +>[!Note] +>Enterprise features might have reduced or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the enterprise features at any time without notice. + +For more information about Olympia Corp, see [https://olympia.windows.com/Info/FAQ](https://olympia.windows.com/Info/FAQ). + +To request an Olympia Corp account, fill out the survey at [https://aka.ms/RegisterOlympia](https://aka.ms/RegisterOlympia). + +## Enrollment guidelines + +Welcome to Olympia Corp. Here are the steps needed to enroll. + +As part of Windows Insider Lab for Enterprise, you can upgrade to Windows 10 Enterprise from Windows 10 Pro. This upgrade is optional. Since certain features such as Windows Defender Application Guard are only available on Windows 10 Enterprise, we recommend you to upgrade. + +Choose one of the following two enrollment options: + +- To set up an AAD-registered device, [follow these steps](#enrollment-keep-current-edition). In this case, you log onto the device by using an existing (non-Olympia) account. + +- If you are running Windows 10 Pro, we recommend that you upgrade to Windows 10 Enterprise by following these steps to [set up an Azure Active Directory-joined device](#enrollment-upgrade-to-enterprise). In this case, you will be able to log on to the device with your Olympia account. + + + +### Set up an Azure Active Directory-REGISTERED Windows 10 device + +This is the Bring Your Own Device (BYOD) method--your device will receive Olympia policies and features, but a new account will not be created. See [Set up Azure Active Directory registered Windows 10 devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-registered-devices-windows10-setup) for additional information. + +1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). + + ![Settings -> Accounts](images/1-1.png) + +2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**. + +3. Click **Connect** and enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**. + + ![Set up a work or school account](images/1-3.png) + +4. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password. + + > [!NOTE] + > Passwords should contain 8-16 characters, including at least one special character or number. + + ![Update your password](images/1-4.png) + +5. Read the **Terms and Conditions**. Click **Accept** to participate in the program. + +6. If this is the first time you are logging in, fill in the additional information to help you retrieve your account details. + +7. Create a PIN for signing into your Olympia corporate account. + +8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**. + + > [!NOTE] + > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). + +9. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. + + + +### Set up Azure Active Directory-JOINED Windows 10 device + +- This method will upgrade your Windows 10 Pro license to Enterprise and create a new account. See [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup) for more information. + +1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). + + ![Settings -> Accounts](images/1-1.png) + +2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**. + +3. Click **Connect**, then click **Join this device to Azure Active Directory**. + + ![Update your password](images/2-3.png) + +4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**. + + ![Set up a work or school account](images/2-4.png) + +5. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password. + + > [!NOTE] + > Passwords should contain 8-16 characters, including at least one special character or number. + + ![Update your password](images/2-5.png) + +6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. + +7. If this is the first time you are signing in, fill in the additional information to help you retrieve your account details. + +8. Create a PIN for signing into your Olympia corporate account. + +9. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. + +10. Restart your device. + +11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your device will upgrade to Windows 10 Enterprise. + +12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**. + + > [!NOTE] + > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). + +13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. + +>[!NOTE] +> Your Windows 10 Enterprise license will not be renewed if your device is not connected to Olympia. + diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index 1f23ccbc44..fd2e9857b0 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -1,56 +1,57 @@ ---- -title: Servicing stack updates (Windows 10) -description: Servicing stack updates improve the code that installs the other updates. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 11/29/2018 -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Servicing stack updates - - -**Applies to** - -- Windows 10, Windows 8.1, Windows 8, Windows 7 - -## What is a servicing stack update? -Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. - -## Why should servicing stack updates be installed and kept up to date? - -Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. - -## When are they released? - -Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical." - ->[!NOTE] ->You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). - -## What's the difference between a servicing stack update and a cumulative update? - -Both Windows 10 and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates. - -Servicing stack updates must ship separately from the cumulative updates because they modify the component that installs Windows updates. The servicing stack is released separately because the servicing stack itself requires an update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update. - - -## Is there any special guidance? - -Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update. - -Typically, the improvements are reliability and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes. - -## Installation notes - -* Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system. -* Installing servicing stack update does not require restarting the device, so installation should not be disruptive. -* Servicing stack update releases are specific to the operating system version (build number), much like quality updates. -* Search to install latest available [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). +--- +title: Servicing stack updates (Windows 10) +description: Servicing stack updates improve the code that installs the other updates. +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.date: 11/29/2018 +ms.reviewer: +manager: laurawi +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Servicing stack updates + + +**Applies to** + +- Windows 10, Windows 8.1, Windows 8, Windows 7 + +## What is a servicing stack update? +Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. + +## Why should servicing stack updates be installed and kept up to date? + +Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. + +## When are they released? + +Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical." + +>[!NOTE] +>You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). + +## What's the difference between a servicing stack update and a cumulative update? + +Both Windows 10 and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates. + +Servicing stack updates must ship separately from the cumulative updates because they modify the component that installs Windows updates. The servicing stack is released separately because the servicing stack itself requires an update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update. + + +## Is there any special guidance? + +Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update. + +Typically, the improvements are reliability and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes. + +## Installation notes + +* Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system. +* Installing servicing stack update does not require restarting the device, so installation should not be disruptive. +* Servicing stack update releases are specific to the operating system version (build number), much like quality updates. +* Search to install latest available [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md index ef10467607..612c44e92a 100644 --- a/windows/deployment/update/update-compliance-delivery-optimization.md +++ b/windows/deployment/update/update-compliance-delivery-optimization.md @@ -5,7 +5,6 @@ manager: laurawi description: new Delivery Optimization data displayed in Update Compliance ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library ms.pagetype: deploy audience: itpro author: jaimeo diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md index 8d6fa2501e..2d3216901c 100644 --- a/windows/deployment/update/update-compliance-feature-update-status.md +++ b/windows/deployment/update/update-compliance-feature-update-status.md @@ -1,49 +1,50 @@ ---- -title: Update Compliance - Feature Update Status report -ms.reviewer: -manager: laurawi -description: an overview of the Feature Update Status report -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: greg-lindsay -ms.author: greglin -ms.collection: M365-analytics -ms.topic: article ---- - -# Feature Update Status - -![The Feature Update Status report](images/UC_workspace_FU_status.png) - -The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](waas-overview.md#servicing-channels). - -## Overall Feature Update Status - -The Overall Feature Update Status blade breaks down how many devices are up-to-date or not, with a special callout for how many devices are running a build that is not supported (for a full list of feature updates, check out the [Windows 10 Release Information](https://technet.microsoft.com/windows/release-info.aspx) page). The table beneath the visualization breaks devices down by Servicing Channel and operating system version, then defining whether this combination is *up-to-date*, *not up-to-date* or *out of support*. Finally, the table provides a count of devices that fall into this category. - -## Deployment Status by Servicing Channel - -To effectively track deployment, **Deployment Status Blades** are divided into each Servicing Channel chosen for the device. This is because Deployment for each channel will happen at different periods in time and feature updates are targeted separately for each channel. Within each Deployment Status tile, devices are aggregated on their feature update distribution, and the columns list the states each device is in. - -Refer to the following list for what each state means: -* **Installed** devices are devices that have completed installation for the given update. -* When a device is counted as **In Progress**, it has begun the feature update installation. -* Devices that are **scheduled next 7 days** are all devices that were deferred from installing the Feature update using [Windows Update for Business Settings](waas-manage-updates-wufb.md) and are set to begin installation in the next 7 days. -* Devices that have failed the given feature update installation are counted as **Update failed**. -* If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. Devices not using Windows Update are the most likely devices to fall into this category. - -## Compatibility holds - -Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *compatibility hold* is generated to delay the device’s upgrade and safeguard the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all compatibility holds on the Windows 10 release information page for any given release. - -To learn how compatibility holds are reflected in the experience, see [Update compliance perspectives](update-compliance-perspectives.md#deployment-status). - -### Opting out of compatibility hold - -Microsoft will release a device from a compatibility hold when it has determined it can safely and smoothly install a feature update, but you are ultimately in control of your devices and can opt out if desired. To opt out, set the registry key **HKLM\Software\Microsoft\Windows NT\CurrentVersion\502505fe-762c-4e80-911e-0c3fa4c63fb0** to a name of **DataRequireGatedScanForFeatureUpdates** and a value of **0**. - - -Setting this registry key to **0** will force the device to opt out from *all* compatibility holds. Any other value, or deleting the key, will resume compatibility protection on the device. - +--- +title: Update Compliance - Feature Update Status report +ms.reviewer: +manager: laurawi +description: an overview of the Feature Update Status report +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.author: jaimeo +ms.collection: M365-analytics +ms.topic: article +--- + +# Feature Update Status + +![The Feature Update Status report](images/UC_workspace_FU_status.png) + +The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](waas-overview.md#servicing-channels). + +## Overall Feature Update Status + +The Overall Feature Update Status blade breaks down how many devices are up-to-date or not, with a special callout for how many devices are running a build that is not supported (for a full list of feature updates, check out the [Windows 10 Release Information](https://technet.microsoft.com/windows/release-info.aspx) page). The table beneath the visualization breaks devices down by Servicing Channel and operating system version, then defining whether this combination is *up-to-date*, *not up-to-date* or *out of support*. Finally, the table provides a count of devices that fall into this category. + +## Deployment Status by Servicing Channel + +To effectively track deployment, **Deployment Status Blades** are divided into each Servicing Channel chosen for the device. This is because Deployment for each channel will happen at different periods in time and feature updates are targeted separately for each channel. Within each Deployment Status tile, devices are aggregated on their feature update distribution, and the columns list the states each device is in. + +Refer to the following list for what each state means: +* **Installed** devices are devices that have completed installation for the given update. +* When a device is counted as **In Progress**, it has begun the feature update installation. +* Devices that are **scheduled next 7 days** are all devices that were deferred from installing the Feature update using [Windows Update for Business Settings](waas-manage-updates-wufb.md) and are set to begin installation in the next 7 days. +* Devices that have failed the given feature update installation are counted as **Update failed**. +* If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. Devices not using Windows Update are the most likely devices to fall into this category. + +## Compatibility holds + +Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *compatibility hold* is generated to delay the device’s upgrade and safeguard the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all compatibility holds on the Windows 10 release information page for any given release. + +To learn how compatibility holds are reflected in the experience, see [Update compliance perspectives](update-compliance-perspectives.md#deployment-status). + +### Opting out of compatibility hold + +Microsoft will release a device from a compatibility hold when it has determined it can safely and smoothly install a feature update, but you are ultimately in control of your devices and can opt out if desired. To opt out, set the registry key **HKLM\Software\Microsoft\Windows NT\CurrentVersion\502505fe-762c-4e80-911e-0c3fa4c63fb0** to a name of **DataRequireGatedScanForFeatureUpdates** and a value of **0**. + + +Setting this registry key to **0** will force the device to opt out from *all* compatibility holds. Any other value, or deleting the key, will resume compatibility protection on the device. + diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 03cf9cabc8..0413187d35 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -6,7 +6,6 @@ description: Configure Update Compliance in Azure Portal to see the status of up keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library ms.pagetype: deploy audience: itpro author: jaimeo diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 3a02fa37ca..e41b2f365b 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -6,7 +6,6 @@ description: You can use Update Compliance in Azure Portal to monitor the progre keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library ms.pagetype: deploy audience: itpro author: jaimeo diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md index be35a79469..a4b940a236 100644 --- a/windows/deployment/update/update-compliance-need-attention.md +++ b/windows/deployment/update/update-compliance-need-attention.md @@ -1,46 +1,47 @@ ---- -title: Update Compliance - Need Attention! report -ms.reviewer: -manager: laurawi -description: an overview of the Update Compliance Need Attention! report -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: greg-lindsay -ms.author: greglin -ms.collection: M365-analytics -ms.topic: article ---- - -# Needs attention! -![Needs attention section](images/UC_workspace_needs_attention.png) - -The **Needs attention!** section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section. - ->[!NOTE] ->The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up. - -The different issues are broken down by Device Issues and Update Issues: - -## Device Issues - -* **Missing multiple security updates:** This issue occurs when a device is behind by two or more security updates. These devices might be more vulnerable and should be investigated and updated. -* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows 10 it is running. When a device has fallen out of support, it will no longer receive important security updates, and might be vulnerable. These devices should be updated to a supported version of Windows 10. - -## Update Issues - -* **Failed:** This issue occurs when an error halts the process of downloading and applying an update on a device. Some of these errors might be transient, but should be investigated further to be sure. -* **Cancelled**: This issue occurs when a user cancels the update process. -* **Rollback**: This issue occurs when a fatal error occurs during a feature update, and the device is rolled back to the previous version. -* **Uninstalled**: This issue occurs when a feature update is uninstalled from a device by a user or an administrator. Note that this might not be a problem if the uninstallation was intentional, but is highlighted as it might need attention. -* **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 10 days. - -Selecting any of the issues will take you to a [Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue. - ->[!NOTE] ->This blade also has a link to the [Setup Diagnostic Tool](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful. - -## List of Queries - -The **List of Queries** blade is in the **Needs Attention** section of Update Compliance. This blade contains a list of queries with a description and a link to the query. These queries contain important meta-information that did not fit within any specific section or were listed to serve as a good starting point for modification into custom queries. +--- +title: Update Compliance - Need Attention! report +ms.reviewer: +manager: laurawi +description: an overview of the Update Compliance Need Attention! report +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.author: jaimeo +ms.collection: M365-analytics +ms.topic: article +--- + +# Needs attention! +![Needs attention section](images/UC_workspace_needs_attention.png) + +The **Needs attention!** section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section. + +>[!NOTE] +>The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up. + +The different issues are broken down by Device Issues and Update Issues: + +## Device Issues + +* **Missing multiple security updates:** This issue occurs when a device is behind by two or more security updates. These devices might be more vulnerable and should be investigated and updated. +* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows 10 it is running. When a device has fallen out of support, it will no longer receive important security updates, and might be vulnerable. These devices should be updated to a supported version of Windows 10. + +## Update Issues + +* **Failed:** This issue occurs when an error halts the process of downloading and applying an update on a device. Some of these errors might be transient, but should be investigated further to be sure. +* **Cancelled**: This issue occurs when a user cancels the update process. +* **Rollback**: This issue occurs when a fatal error occurs during a feature update, and the device is rolled back to the previous version. +* **Uninstalled**: This issue occurs when a feature update is uninstalled from a device by a user or an administrator. Note that this might not be a problem if the uninstallation was intentional, but is highlighted as it might need attention. +* **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 10 days. + +Selecting any of the issues will take you to a [Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue. + +>[!NOTE] +>This blade also has a link to the [Setup Diagnostic Tool](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful. + +## List of Queries + +The **List of Queries** blade is in the **Needs Attention** section of Update Compliance. This blade contains a list of queries with a description and a link to the query. These queries contain important meta-information that did not fit within any specific section or were listed to serve as a good starting point for modification into custom queries. diff --git a/windows/deployment/update/update-compliance-perspectives.md b/windows/deployment/update/update-compliance-perspectives.md index 4af9e5897a..b38df5c5af 100644 --- a/windows/deployment/update/update-compliance-perspectives.md +++ b/windows/deployment/update/update-compliance-perspectives.md @@ -1,65 +1,66 @@ ---- -title: Update Compliance - Perspectives -ms.reviewer: -manager: laurawi -description: an overview of Update Compliance Perspectives -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: greg-lindsay -ms.author: greglin -ms.collection: M365-analytics -ms.topic: article ---- - -# Perspectives - -![Perspectives data view](images/uc-perspectiveupdatedeploymentstatus.png) - -Perspectives are elaborations on specific queries hand-crafted by developers which data views that provide deeper insight into your data. Perspectives are loaded whenever clicking into more detailed views from both the Security Update Status section and Feature Update Status section of Update Compliance. - -There is only one perspective framework; it is for **Update Deployment Status**. The same framework is utilized for both feature and quality updates. - -The first blade is the **Build Summary** blade. This blade summarizes the most important aspects of the given build being queried, listing the total number of devices, the total number of update failures for the build, and a breakdown of the different errors encountered. - -The second blade is the **Deferral Configurations** blade, breaking down Windows Update for Business deferral settings (if any). - -## Deployment status - -The third blade is the **Deployment Status** blade. This defines how many days it has been since the queried version has been released, and breaks down the various states in the update funnel each device has reported to be in. The possible states are as follows: - -| State | Description | -| --- | --- | -| Update Completed | When a device has finished the update process and is on the queried update, it will display here as Update completed. | -| In Progress | Devices that report they are “In Progress” are one of the various stages of installing an update; these stages are reported in the Detailed Deployment Status blade. | -| Deferred | When a device’s Windows Update for Business deferral policy dictates that the update is not yet applicable due to deferral, it will report as such in this blade. | -| Progress stalled | Devices that report as “Progress stalled” have been stuck at “In progress” for more than 7 days. | -| Cancelled | The update was cancelled. | -| Blocked | There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update. | -| Unknown | Devices that do not report detailed information on the status of their updates will report Unknown. This is most likely devices that do not use Windows Update for deployment. | -| Update paused | These devices have Windows Update for Business pause enabled, preventing this update from being installed. | -| Failed | A device is unable to install an update. This failure could be linked to a serious error in the update installation process or, in some cases, a [compatibility hold](update-compliance-feature-update-status.md#compatibility-holds). | - -## Detailed deployment status - -The final blade is the **Detailed Deployment Status** blade. This blade breaks down the detailed stage of deployment a device is in, beyond the generalized terms defined in Deployment Status. The following are the possible stages a device can report: - -| State | Description | -| --- | --- | -| Update deferred | When a device’s Windows Update for Business policy dictates the update is deferred. | -| Update paused | The device’s Windows Update for Business policy dictates the update is paused from being offered. | -| Update offered | The device has been offered the update, but has not begun downloading it. | -| Pre-Download tasks passed | The device has finished all necessary tasks prior to downloading the update. | -| Compatibility hold | The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds) | -| Download Started | The update has begun downloading on the device. | -| Download Succeeded | The update has successfully completed downloading. | -| Pre-Install Tasks Passed | Tasks that must be completed prior to installing the update have been completed. | -| Install Started | Installation of the update has begun. | -| Reboot Required | The device has finished installing the update, and a reboot is required before the update can be completed. -| Reboot Pending | The device has a scheduled reboot to apply the update. | -| Reboot Initiated | The scheduled reboot has been initiated. | -| Update Completed/Commit | The update has successfully installed. | - ->[!NOTE] ->Interacting with any rows in the perspective view will automatically apply the given value to the query and execute it with the new parameter, narrowing the perspective to devices that satisfy that criteria. For example, clicking “Not configured (-1)” devices in Deferral Configurations will filter the query to only contain devices that do not have a deferral configuration. These filters can also be applied to queries via the filter sidebar. +--- +title: Update Compliance - Perspectives +ms.reviewer: +manager: laurawi +description: an overview of Update Compliance Perspectives +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.author: jaimeo +ms.collection: M365-analytics +ms.topic: article +--- + +# Perspectives + +![Perspectives data view](images/uc-perspectiveupdatedeploymentstatus.png) + +Perspectives are elaborations on specific queries hand-crafted by developers which data views that provide deeper insight into your data. Perspectives are loaded whenever clicking into more detailed views from both the Security Update Status section and Feature Update Status section of Update Compliance. + +There is only one perspective framework; it is for **Update Deployment Status**. The same framework is utilized for both feature and quality updates. + +The first blade is the **Build Summary** blade. This blade summarizes the most important aspects of the given build being queried, listing the total number of devices, the total number of update failures for the build, and a breakdown of the different errors encountered. + +The second blade is the **Deferral Configurations** blade, breaking down Windows Update for Business deferral settings (if any). + +## Deployment status + +The third blade is the **Deployment Status** blade. This defines how many days it has been since the queried version has been released, and breaks down the various states in the update funnel each device has reported to be in. The possible states are as follows: + +| State | Description | +| --- | --- | +| Update Completed | When a device has finished the update process and is on the queried update, it will display here as Update completed. | +| In Progress | Devices that report they are “In Progress” are one of the various stages of installing an update; these stages are reported in the Detailed Deployment Status blade. | +| Deferred | When a device’s Windows Update for Business deferral policy dictates that the update is not yet applicable due to deferral, it will report as such in this blade. | +| Progress stalled | Devices that report as “Progress stalled” have been stuck at “In progress” for more than 7 days. | +| Cancelled | The update was cancelled. | +| Blocked | There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update. | +| Unknown | Devices that do not report detailed information on the status of their updates will report Unknown. This is most likely devices that do not use Windows Update for deployment. | +| Update paused | These devices have Windows Update for Business pause enabled, preventing this update from being installed. | +| Failed | A device is unable to install an update. This failure could be linked to a serious error in the update installation process or, in some cases, a [compatibility hold](update-compliance-feature-update-status.md#compatibility-holds). | + +## Detailed deployment status + +The final blade is the **Detailed Deployment Status** blade. This blade breaks down the detailed stage of deployment a device is in, beyond the generalized terms defined in Deployment Status. The following are the possible stages a device can report: + +| State | Description | +| --- | --- | +| Update deferred | When a device’s Windows Update for Business policy dictates the update is deferred. | +| Update paused | The device’s Windows Update for Business policy dictates the update is paused from being offered. | +| Update offered | The device has been offered the update, but has not begun downloading it. | +| Pre-Download tasks passed | The device has finished all necessary tasks prior to downloading the update. | +| Compatibility hold | The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds) | +| Download Started | The update has begun downloading on the device. | +| Download Succeeded | The update has successfully completed downloading. | +| Pre-Install Tasks Passed | Tasks that must be completed prior to installing the update have been completed. | +| Install Started | Installation of the update has begun. | +| Reboot Required | The device has finished installing the update, and a reboot is required before the update can be completed. +| Reboot Pending | The device has a scheduled reboot to apply the update. | +| Reboot Initiated | The scheduled reboot has been initiated. | +| Update Completed/Commit | The update has successfully installed. | + +>[!NOTE] +>Interacting with any rows in the perspective view will automatically apply the given value to the query and execute it with the new parameter, narrowing the perspective to devices that satisfy that criteria. For example, clicking “Not configured (-1)” devices in Deferral Configurations will filter the query to only contain devices that do not have a deferral configuration. These filters can also be applied to queries via the filter sidebar. diff --git a/windows/deployment/update/update-compliance-security-update-status.md b/windows/deployment/update/update-compliance-security-update-status.md index d299981e93..fa252c9db1 100644 --- a/windows/deployment/update/update-compliance-security-update-status.md +++ b/windows/deployment/update/update-compliance-security-update-status.md @@ -5,7 +5,6 @@ manager: laurawi description: an overview of the Security Update Status report ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index 932d20458b..3f9b6fbcbb 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -6,7 +6,6 @@ description: Explains how to begin using Update Compliance. keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library ms.pagetype: deploy audience: itpro author: jaimeo diff --git a/windows/deployment/update/update-compliance-wd-av-status.md b/windows/deployment/update/update-compliance-wd-av-status.md index 74250033ff..a6c324c71c 100644 --- a/windows/deployment/update/update-compliance-wd-av-status.md +++ b/windows/deployment/update/update-compliance-wd-av-status.md @@ -1,42 +1,43 @@ ---- -title: Update Compliance - Windows Defender AV Status report -ms.reviewer: -manager: laurawi -description: an overview of the Windows Defender AV Status report -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: greg-lindsay -ms.author: greglin -ms.collection: M365-analytics -ms.topic: article ---- - -# Windows Defender AV Status - -![The Windows Defender AV Status report](images/UC_workspace_WDAV_status.png) - -The Windows Defender AV Status section deals with data concerning signature and threat status for devices that use Windows Defender Antivirus. The section tile in the [Overview Blade](update-compliance-using.md#overview-blade) provides the percentage of devices with insufficient protection – this percentage only considers devices using Windows Defender Antivirus. - ->[!NOTE] ->Update Compliance's Windows Defender Antivirus status is compatible with E3, B, F1, VL Professional and below licenses. Devices with an E5 license are not shown here; devices with an E5 license can be monitored using the [Windows Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). If you'd like to learn more about Windows 10 licensing, see the [Windows 10 product licensing options](https://www.microsoft.com/Licensing/product-licensing/windows10.aspx). - -# Windows Defender AV Status sections -The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Selecting any of these statuses will navigate you to a Log Search view containing the query. - -The **Threat Status** blade shows, among devices that have encountered threats, how many were and were not remediated successfully. It also provides a detailed count. Selecting either of these will take you to the respective query in Log Search for further investigation. - -Here are some important terms to consider when using the Windows Defender AV Status section of Update Compliance: -* **Signature out of date** devices are devices with a signature older than 14 days. -* **No real-time protection** devices are devices that are using Windows Defender AV but have turned off real-time protection. -* **Recently disappeared** devices are devices that were previously seen by Windows Defender AV and are no longer seen in the past 7 days. -* **Remediation failed** devices are devices where Windows Defender AV failed to remediate the threat. This could be due to a number of reasons, including a full disk, network error, operation aborted, etc. Manual intervention might be needed from IT team. -* **Not assessed** devices are devices where either a non-Microsoft AV solution is used or it has been more than 7 days since the device recently disappeared. - -## Windows Defender data latency -Because of the way Windows Defender is associated with the rest of Windows device data, Defender data for new devices might take much longer to appear than other data types. This process could take up to 28 days. - -## Related topics - -- [Windows Defender Antivirus pre-requisites](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting#confirm-pre-requisites) +--- +title: Update Compliance - Windows Defender AV Status report +ms.reviewer: +manager: laurawi +description: an overview of the Windows Defender AV Status report +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.author: jaimeo +ms.collection: M365-analytics +ms.topic: article +--- + +# Windows Defender AV Status + +![The Windows Defender AV Status report](images/UC_workspace_WDAV_status.png) + +The Windows Defender AV Status section deals with data concerning signature and threat status for devices that use Windows Defender Antivirus. The section tile in the [Overview Blade](update-compliance-using.md#overview-blade) provides the percentage of devices with insufficient protection – this percentage only considers devices using Windows Defender Antivirus. + +>[!NOTE] +>Update Compliance's Windows Defender Antivirus status is compatible with E3, B, F1, VL Professional and below licenses. Devices with an E5 license are not shown here; devices with an E5 license can be monitored using the [Windows Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). If you'd like to learn more about Windows 10 licensing, see the [Windows 10 product licensing options](https://www.microsoft.com/Licensing/product-licensing/windows10.aspx). + +# Windows Defender AV Status sections +The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Selecting any of these statuses will navigate you to a Log Search view containing the query. + +The **Threat Status** blade shows, among devices that have encountered threats, how many were and were not remediated successfully. It also provides a detailed count. Selecting either of these will take you to the respective query in Log Search for further investigation. + +Here are some important terms to consider when using the Windows Defender AV Status section of Update Compliance: +* **Signature out of date** devices are devices with a signature older than 14 days. +* **No real-time protection** devices are devices that are using Windows Defender AV but have turned off real-time protection. +* **Recently disappeared** devices are devices that were previously seen by Windows Defender AV and are no longer seen in the past 7 days. +* **Remediation failed** devices are devices where Windows Defender AV failed to remediate the threat. This could be due to a number of reasons, including a full disk, network error, operation aborted, etc. Manual intervention might be needed from IT team. +* **Not assessed** devices are devices where either a non-Microsoft AV solution is used or it has been more than 7 days since the device recently disappeared. + +## Windows Defender data latency +Because of the way Windows Defender is associated with the rest of Windows device data, Defender data for new devices might take much longer to appear than other data types. This process could take up to 28 days. + +## Related topics + +- [Windows Defender Antivirus pre-requisites](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting#confirm-pre-requisites) diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md index 6e8a4ba345..aee88e8e01 100644 --- a/windows/deployment/update/waas-branchcache.md +++ b/windows/deployment/update/waas-branchcache.md @@ -3,11 +3,9 @@ title: Configure BranchCache for Windows 10 updates (Windows 10) description: Use BranchCache to optimize network bandwidth during update deployment. ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay +author: jaimeo ms.localizationpriority: medium -ms.author: greglin -ms.date: 07/27/2017 +ms.author: jaimeo ms.reviewer: manager: laurawi ms.topic: article diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index c6b56e8162..81adf9756d 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -5,7 +5,7 @@ manager: laurawi description: You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library + audience: itpro author: jaimeo ms.localizationpriority: medium diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index fec88b2720..ab1a485ac8 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -6,11 +6,11 @@ description: Reference of all Delivery Optimization settings and descriptions of keywords: oms, operations management suite, wdav, updates, downloads, log analytics ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library + audience: itpro -author: greg-lindsay +author: jaimeo ms.localizationpriority: medium -ms.author: greglin +ms.author: jaimeo ms.collection: M365-modern-desktop ms.topic: article --- diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md index 0d016a2ce4..61a6af8b7c 100644 --- a/windows/deployment/update/waas-delivery-optimization-setup.md +++ b/windows/deployment/update/waas-delivery-optimization-setup.md @@ -6,7 +6,7 @@ description: Delivery Optimization is a new peer-to-peer distribution method in keywords: oms, operations management suite, wdav, updates, downloads, log analytics ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library + audience: itpro author: jaimeo ms.localizationpriority: medium diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 64deb7803d..c69be3c10b 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -6,7 +6,7 @@ description: Delivery Optimization is a peer-to-peer distribution method in Wind keywords: oms, operations management suite, wdav, updates, downloads, log analytics ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library + audience: itpro author: jaimeo ms.localizationpriority: medium diff --git a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md index 30023d81bb..d5eab1b3c4 100644 --- a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md +++ b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md @@ -3,7 +3,6 @@ title: Build deployment rings for Windows 10 updates (Windows 10) description: Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades. ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md index 1bc196ce0e..d28b788ca7 100644 --- a/windows/deployment/update/waas-integrate-wufb.md +++ b/windows/deployment/update/waas-integrate-wufb.md @@ -3,10 +3,9 @@ title: Integrate Windows Update for Business with management solutions (Windows description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager. ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay +author: jaimeo ms.localizationpriority: medium -ms.author: greglin +ms.author: jaimeo ms.date: 07/27/2017 ms.reviewer: manager: laurawi diff --git a/windows/deployment/update/waas-manage-updates-configuration-manager.md b/windows/deployment/update/waas-manage-updates-configuration-manager.md index 5ab254f79d..7563d572b3 100644 --- a/windows/deployment/update/waas-manage-updates-configuration-manager.md +++ b/windows/deployment/update/waas-manage-updates-configuration-manager.md @@ -3,7 +3,6 @@ title: Deploy Windows 10 updates using System Center Configuration Manager (Wind description: System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10. ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index cda79baf8e..e24cc6ff0b 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -3,7 +3,6 @@ title: Deploy Windows 10 updates using Windows Server Update Services (Windows 1 description: WSUS allows companies to defer, selectively approve, choose when delivered, and determine which devices receive updates. ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index b80b9132c8..96e833ec0a 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -5,7 +5,6 @@ manager: laurawi description: Windows Update for Business lets you manage when devices received updates from Windows Update. ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo diff --git a/windows/deployment/update/waas-mobile-updates.md b/windows/deployment/update/waas-mobile-updates.md index 73652f10a9..e425484498 100644 --- a/windows/deployment/update/waas-mobile-updates.md +++ b/windows/deployment/update/waas-mobile-updates.md @@ -3,7 +3,6 @@ title: Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile description: tbd ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md index bf740f50c0..ecc49de5af 100644 --- a/windows/deployment/update/waas-morenews.md +++ b/windows/deployment/update/waas-morenews.md @@ -1,51 +1,53 @@ ---- -title: Windows as a service -ms.prod: w10 -ms.topic: article -ms.manager: elizapo -audience: itpro author: greg-lindsay -ms.author: greglin -ms.date: 12/19/2018 -ms.reviewer: -manager: laurawi -ms.localizationpriority: high -ms.topic: article ---- -# Windows as a service - More news - -Here's more news about [Windows as a service](windows-as-a-service.md): - - +--- +title: Windows as a service +ms.prod: w10 +ms.topic: article +ms.manager: elizapo +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.author: jaimeo +ms.date: 12/19/2018 +ms.reviewer: +manager: laurawi +ms.localizationpriority: high +ms.topic: article +--- +# Windows as a service - More news + +Here's more news about [Windows as a service](windows-as-a-service.md): + + diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md index 993d1f887d..71135004a4 100644 --- a/windows/deployment/update/waas-optimize-windows-10-updates.md +++ b/windows/deployment/update/waas-optimize-windows-10-updates.md @@ -3,7 +3,6 @@ title: Optimize update delivery for Windows 10 updates (Windows 10) description: Two methods of peer-to-peer content distribution are available in Windows 10, Delivery Optimization and BranchCache. ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 02b95b42a5..23a3c73b90 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -4,7 +4,6 @@ description: In Windows 10, Microsoft has streamlined servicing to make operatin keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index b7e23d8a0a..b2f7bf1b6a 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -4,7 +4,6 @@ description: In Windows 10, Microsoft has streamlined servicing to make operatin keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index 0ea4468377..e1866cfcc0 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -3,7 +3,7 @@ title: Manage device restarts after updates (Windows 10) description: tbd ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library + author: jaimeo ms.localizationpriority: medium ms.author: jaimeo diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md index 2375cfd6b8..453488ddf0 100644 --- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md @@ -3,7 +3,7 @@ title: Assign devices to servicing channels for Windows 10 updates (Windows 10) description: tbd ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library + author: jaimeo ms.localizationpriority: medium ms.author: jaimeo diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md index 1b5f466c3f..6a9df9bd4f 100644 --- a/windows/deployment/update/waas-servicing-differences.md +++ b/windows/deployment/update/waas-servicing-differences.md @@ -6,12 +6,11 @@ description: Learn the differences between servicing Windows 10 and servicing ol keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library audience: itpro -author: greg-lindsay +author: jaimeo ms.localizationpriority: medium ms.audience: itpro -author: greg-lindsay +author: jaimeo ms.topic: article ms.collection: M365-modern-desktop --- diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md index 32e06ed8f5..66702a34a3 100644 --- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md @@ -3,7 +3,6 @@ title: Prepare servicing strategy for Windows 10 updates (Windows 10) description: A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md index 2b84969903..3967a511a8 100644 --- a/windows/deployment/update/waas-wu-settings.md +++ b/windows/deployment/update/waas-wu-settings.md @@ -3,7 +3,7 @@ title: Manage additional Windows Update settings (Windows 10) description: Additional settings to control the behavior of Windows Update (WU) in Windows 10 ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library + audience: itpro author: jaimeo ms.localizationpriority: medium diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md index d45100b41b..d3aee0caf9 100644 --- a/windows/deployment/update/waas-wufb-group-policy.md +++ b/windows/deployment/update/waas-wufb-group-policy.md @@ -3,7 +3,6 @@ title: Walkthrough use Group Policy to configure Windows Update for Business - W description: Configure Windows Update for Business settings using Group Policy. ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo diff --git a/windows/deployment/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md index 7736d4e6c7..71296b4265 100644 --- a/windows/deployment/update/waas-wufb-intune.md +++ b/windows/deployment/update/waas-wufb-intune.md @@ -3,12 +3,11 @@ title: Walkthrough use Intune to configure Windows Update for Business (Windows description: Configure Windows Update for Business settings using Microsoft Intune. ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library audience: itpro -author: greg-lindsay +author: jaimeo ms.localizationpriority: medium ms.audience: itpro -author: greg-lindsay +author: jaimeo ms.date: 07/27/2017 ms.reviewer: manager: laurawi diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md index e0f66504b8..4f04e51290 100644 --- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md +++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md @@ -6,7 +6,6 @@ description: Frequently asked questions about Windows Analytics and steps to tak keywords: windows analytics, oms, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health, FAQ, problems, troubleshooting, error ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library ms.pagetype: deploy audience: itpro author: jaimeo diff --git a/windows/deployment/update/windows-analytics-azure-portal.md b/windows/deployment/update/windows-analytics-azure-portal.md index 6be69ef90e..610deb2695 100644 --- a/windows/deployment/update/windows-analytics-azure-portal.md +++ b/windows/deployment/update/windows-analytics-azure-portal.md @@ -6,7 +6,6 @@ description: Use the Azure Portal to add and configure Windows Analytics solutio keywords: Device Health, oms, Azure, portal, operations management suite, add, manage, configure, Upgrade Readiness, Update Compliance ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library ms.pagetype: deploy audience: itpro author: jaimeo diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md index c64965c11f..8b3ebe0b50 100644 --- a/windows/deployment/update/windows-analytics-get-started.md +++ b/windows/deployment/update/windows-analytics-get-started.md @@ -6,7 +6,6 @@ description: Enroll devices to enable use of Update Compliance, Upgrade Readines keywords: windows analytics, oms, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health, azure portal ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo diff --git a/windows/deployment/update/windows-analytics-overview.md b/windows/deployment/update/windows-analytics-overview.md index c84fb0d8a4..43531d972c 100644 --- a/windows/deployment/update/windows-analytics-overview.md +++ b/windows/deployment/update/windows-analytics-overview.md @@ -6,7 +6,6 @@ description: Introduction and overview of Windows Analytics keywords: Device Health, Upgrade Readiness, Update Compliance, oms, operations management suite, prerequisites, requirements, monitoring, crash, drivers ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library ms.pagetype: deploy audience: itpro author: jaimeo diff --git a/windows/deployment/update/windows-analytics-privacy.md b/windows/deployment/update/windows-analytics-privacy.md index a3b134e6d9..f0b2a4f3af 100644 --- a/windows/deployment/update/windows-analytics-privacy.md +++ b/windows/deployment/update/windows-analytics-privacy.md @@ -6,7 +6,6 @@ description: How Windows Analytics uses data keywords: windows analytics, oms, privacy, data, diagnostic, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health, FAQ, problems, troubleshooting, error ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library ms.pagetype: deploy audience: itpro author: jaimeo diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md index d7d45d741a..91ff545345 100644 --- a/windows/deployment/update/windows-as-a-service.md +++ b/windows/deployment/update/windows-as-a-service.md @@ -1,131 +1,133 @@ ---- -title: Windows as a service -ms.prod: windows-10 -layout: LandingPage -ms.topic: landing-page -ms.manager: elizapo -audience: itpro author: greg-lindsay -ms.audience: itpro author: greg-lindsay -ms.date: 01/24/2019 -ms.reviewer: -manager: laurawi -ms.localizationpriority: high -ms.collection: M365-modern-desktop ---- -# Windows as a service - -Find the tools and resources you need to help deploy and support Windows as a service in your organization. - -## Latest news, videos, & podcasts - -Find the latest and greatest news on Windows 10 deployment and servicing. - -**Discovering the Windows 10 Update history pages** -> [!VIDEO https://www.youtube-nocookie.com/embed/mTnAb9XjMPY] - -Everyone wins when transparency is a top priority. We want you to know when updates are available, as well as alert you to any potential issues you may encounter during or after you install an update. Bookmark the Windows release health dashboard for near real-time information on known issues, workarounds, and resolutions--as well as the current status of the latest feature update rollout. - -The latest news: - - -[See more news](waas-morenews.md). You can also check out the [Windows 10 blog](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog). - -## IT pro champs corner -Written by IT pros for IT pros, sharing real world examples and scenarios for Windows 10 deployment and servicing. - - - -**NEW** Tactical considerations for creating Windows deployment rings - -**NEW** Windows 10 Enterprise vs. Windows 10 Pro: Modern management considerations for your organization - -Deployment rings: The hidden [strategic] gem of Windows as a service - -Classifying Windows updates in common deployment tools - -Express updates for Windows Server 2016 re-enabled for November 2018 update - - -2019 SHA-2 Code Signing Support requirement for Windows and WSUS - -Deploying Windows 10 Feature Updates to 24/7 Mission Critical Devices - -## Discover - -Learn more about Windows as a service and its value to your organization. - - - -Overview of Windows as a service - -Quick guide to Windows as a service - -Windows Analytics overview - -What's new in Windows 10 deployment - -How Microsoft IT deploys Windows 10 - -## Plan - -Prepare to implement Windows as a service effectively using the right tools, products, and strategies. - - - -Simplified updates - -Windows 10 end user readiness - -Ready for Windows - -Manage Windows upgrades with Upgrade Readiness - -Preparing your organization for a seamless Windows 10 deployment - -## Deploy - -Secure your organization's deployment investment. - - - -Update Windows 10 in the enterprise - -Deploying as an in-place upgrade - -Configure Windows Update for Business - -Express update delivery - -Windows 10 deployment considerations - - -## Microsoft Ignite 2018 - - -Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service. - -[BRK2417: What’s new in Windows Analytics: An Intro to Desktop Analytics](https://myignite.techcommunity.microsoft.com/sessions/64324#ignite-html-anchor) - -[BRK3018: Deploying Windows 10 in the enterprise using traditional and modern techniques](https://myignite.techcommunity.microsoft.com/sessions/64509#ignite-html-anchor) - -[BRK3019: Delivery Optimization deep dive: How to reduce internet bandwidth impact on your network](https://myignite.techcommunity.microsoft.com/sessions/64510#ignite-html-anchor) - -[BRK3020: Using AI to automate Windows and Office update staging with Windows Update for Business](https://myignite.techcommunity.microsoft.com/sessions/64513#ignite-html-anchor) - -[BRK3027: Deploying Windows 10: Making the update experience smooth and seamless](https://myignite.techcommunity.microsoft.com/sessions/64612#ignite-html-anchor) - -[BRK3039: Windows 10 and Microsoft Office 365 ProPlus lifecycle and servicing update](https://myignite.techcommunity.microsoft.com/sessions/66763#ignite-html-anchor) - -[BRK3211: Ask the Experts: Successfully deploying, servicing, managing Windows 10](https://myignite.techcommunity.microsoft.com/sessions/65963#ignite-html-anchor) - -[THR2234: Windows servicing and delivery fundamentals](https://myignite.techcommunity.microsoft.com/sessions/66741#ignite-html-anchor) - -[THR3006: The pros and cons of LTSC in the enterprise](https://myignite.techcommunity.microsoft.com/sessions/64512#ignite-html-anchor) +--- +title: Windows as a service +ms.prod: windows-10 +layout: LandingPage +ms.topic: landing-page +ms.manager: elizapo +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.audience: itpro +author: jaimeo +ms.reviewer: +manager: laurawi +ms.localizationpriority: high +ms.collection: M365-modern-desktop +--- +# Windows as a service + +Find the tools and resources you need to help deploy and support Windows as a service in your organization. + +## Latest news, videos, & podcasts + +Find the latest and greatest news on Windows 10 deployment and servicing. + +**Discovering the Windows 10 Update history pages** +> [!VIDEO https://www.youtube-nocookie.com/embed/mTnAb9XjMPY] + +Everyone wins when transparency is a top priority. We want you to know when updates are available, as well as alert you to any potential issues you may encounter during or after you install an update. Bookmark the Windows release health dashboard for near real-time information on known issues, workarounds, and resolutions--as well as the current status of the latest feature update rollout. + +The latest news: + + +[See more news](waas-morenews.md). You can also check out the [Windows 10 blog](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog). + +## IT pro champs corner +Written by IT pros for IT pros, sharing real world examples and scenarios for Windows 10 deployment and servicing. + + + +**NEW** Tactical considerations for creating Windows deployment rings + +**NEW** Windows 10 Enterprise vs. Windows 10 Pro: Modern management considerations for your organization + +Deployment rings: The hidden [strategic] gem of Windows as a service + +Classifying Windows updates in common deployment tools + +Express updates for Windows Server 2016 re-enabled for November 2018 update + + +2019 SHA-2 Code Signing Support requirement for Windows and WSUS + +Deploying Windows 10 Feature Updates to 24/7 Mission Critical Devices + +## Discover + +Learn more about Windows as a service and its value to your organization. + + + +Overview of Windows as a service + +Quick guide to Windows as a service + +Windows Analytics overview + +What's new in Windows 10 deployment + +How Microsoft IT deploys Windows 10 + +## Plan + +Prepare to implement Windows as a service effectively using the right tools, products, and strategies. + + + +Simplified updates + +Windows 10 end user readiness + +Ready for Windows + +Manage Windows upgrades with Upgrade Readiness + +Preparing your organization for a seamless Windows 10 deployment + +## Deploy + +Secure your organization's deployment investment. + + + +Update Windows 10 in the enterprise + +Deploying as an in-place upgrade + +Configure Windows Update for Business + +Express update delivery + +Windows 10 deployment considerations + + +## Microsoft Ignite 2018 + + +Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service. + +[BRK2417: What’s new in Windows Analytics: An Intro to Desktop Analytics](https://myignite.techcommunity.microsoft.com/sessions/64324#ignite-html-anchor) + +[BRK3018: Deploying Windows 10 in the enterprise using traditional and modern techniques](https://myignite.techcommunity.microsoft.com/sessions/64509#ignite-html-anchor) + +[BRK3019: Delivery Optimization deep dive: How to reduce internet bandwidth impact on your network](https://myignite.techcommunity.microsoft.com/sessions/64510#ignite-html-anchor) + +[BRK3020: Using AI to automate Windows and Office update staging with Windows Update for Business](https://myignite.techcommunity.microsoft.com/sessions/64513#ignite-html-anchor) + +[BRK3027: Deploying Windows 10: Making the update experience smooth and seamless](https://myignite.techcommunity.microsoft.com/sessions/64612#ignite-html-anchor) + +[BRK3039: Windows 10 and Microsoft Office 365 ProPlus lifecycle and servicing update](https://myignite.techcommunity.microsoft.com/sessions/66763#ignite-html-anchor) + +[BRK3211: Ask the Experts: Successfully deploying, servicing, managing Windows 10](https://myignite.techcommunity.microsoft.com/sessions/65963#ignite-html-anchor) + +[THR2234: Windows servicing and delivery fundamentals](https://myignite.techcommunity.microsoft.com/sessions/66741#ignite-html-anchor) + +[THR3006: The pros and cons of LTSC in the enterprise](https://myignite.techcommunity.microsoft.com/sessions/64512#ignite-html-anchor) diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md index 52969656a5..fd014ccd65 100644 --- a/windows/deployment/update/windows-update-error-reference.md +++ b/windows/deployment/update/windows-update-error-reference.md @@ -1,365 +1,367 @@ ---- -title: Windows Update error code list by component -description: Reference information for Windows Update error codes -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.audience: itpro author: greg-lindsay -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Windows Update error codes by component - ->Applies to: Windows 10 - - -This section lists the error codes for Microsoft Windows Update. - -## Automatic Update Errors - -| Error code | Message | Description | -|------------|-------------------------------|--------------------------------------------------------------------------------------------------------| -| 0x80243FFF | WU_E_AUCLIENT_UNEXPECTED | There was a user interface error not covered by another WU_E_AUCLIENT_\* error code. | -| 0x8024A000 | WU_E_AU_NOSERVICE | Automatic Updates was unable to service incoming requests.  | -| 0x8024A002 | WU_E_AU_NONLEGACYSERVER | The old version of the Automatic Updates client has stopped because the WSUS server has been upgraded. | -| 0x8024A003 | WU_E_AU_LEGACYCLIENTDISABLED |  The old version of the Automatic Updates client was disabled. | -| 0x8024A004 | WU_E_AU_PAUSED | Automatic Updates was unable to process incoming requests because it was paused. | -| 0x8024A005 | WU_E_AU_NO_REGISTERED_SERVICE |  No unmanaged service is registered with AU. | -| 0x8024AFFF | WU_E_AU_UNEXPECTED |  An Automatic Updates error not covered by another WU_E_AU \* code. | - -## Windows Update UI errors - -| Error code | Message | Description | -|------------|-------------------------------------------|--------------------------------------------------------------------------------------------------------------------------| -| 0x80243001 | WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION | The results of download and installation could not be read from the registry due to an unrecognized data format version. | -| 0x80243002 | WU_E_INSTALLATION_RESULTS_INVALID_DATA | The results of download and installation could not be read from the registry due to an invalid data format. | -| 0x80243003 | WU_E_INSTALLATION_RESULTS_NOT_FOUND | The results of download and installation are not available; the operation may have failed to start. | -| 0x80243004 |  WU_E_TRAYICON_FAILURE |  A failure occurred when trying to create an icon in the taskbar notification area. | -| 0x80243FFD |  WU_E_NON_UI_MODE |  Unable to show UI when in non-UI mode; WU client UI modules may not be installed.  | -| 0x80243FFE |  WU_E_WUCLTUI_UNSUPPORTED_VERSION |  Unsupported version of WU client UI exported functions.  | -| 0x80243FFF |  WU_E_AUCLIENT_UNEXPECTED |  There was a user interface error not covered by another WU_E_AUCLIENT_\* error code.  | - -## Inventory errors - -| Error code | Message | Description | -|------------|-------------------------------------------|-------------------------------------------------------------------------------| -| 0x80249001 |  WU_E_INVENTORY_PARSEFAILED |  Parsing of the rule file failed.  | -| 0x80249002 |  WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED |  Failed to get the requested inventory type from the server.  | -| 0x80249003 |  WU_E_INVENTORY_RESULT_UPLOAD_FAILED |  Failed to upload inventory result to the server.  | -| 0x80249004 |  WU_E_INVENTORY_UNEXPECTED |  There was an inventory error not covered by another error code. | -| 0x80249005 |  WU_E_INVENTORY_WMI_ERROR |  A WMI error occurred when enumerating the instances for a particular class.  | - -## Expression evaluator errors - -| Error code | Message | Description | -|-------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------| -| 0x8024E001 |  WU_E_EE_UNKNOWN_EXPRESSION |  An expression evaluator operation could not be completed because an expression was unrecognized. | -| 0x8024E002 |  WU_E_EE_INVALID_EXPRESSION |  An expression evaluator operation could not be completed because an expression was invalid.  | -| 0x8024E003 |  WU_E_EE_MISSING_METADATA |  An expression evaluator operation could not be completed because an expression contains an incorrect number of metadata nodes.  | -| 0x8024E004 |  WU_E_EE_INVALID_VERSION |  An expression evaluator operation could not be completed because the version of the serialized expression data is invalid.  | -|  0x8024E005 |  WU_E_EE_NOT_INITIALIZED |  The expression evaluator could not be initialized. | -|  0x8024E006 |  WU_E_EE_INVALID_ATTRIBUTEDATA |  An expression evaluator operation could not be completed because there was an invalid attribute. | -|  0x8024E007 |  WU_E_EE_CLUSTER_ERROR |  An expression evaluator operation could not be completed because the cluster state of the computer could not be determined.  | -|  0x8024EFFF |  WU_E_EE_UNEXPECTED |  There was an expression evaluator error not covered by another WU_E_EE_\* error code.  | - -## Reporter errors - -| Error code | Message | Description | -|-------------|------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| -|  0x80247001 |  WU_E_OL_INVALID_SCANFILE |  An operation could not be completed because the scan package was invalid. | -| 0x80247002 |  WU_E_OL_NEWCLIENT_REQUIRED |  An operation could not be completed because the scan package requires a greater version of the Windows Update Agent. | -|  0x80247FFF |  WU_E_OL_UNEXPECTED |  Search using the scan package failed.  | -|  0x8024F001 |  WU_E_REPORTER_EVENTCACHECORRUPT |  The event cache file was defective.  | -|  0x8024F002 |  WU_E_REPORTER_EVENTNAMESPACEPARSEFAILED |  The XML in the event namespace descriptor could not be parsed. | -|  0x8024F003 |  WU_E_INVALID_EVENT |  The XML in the event namespace descriptor could not be parsed. | -|  0x8024F004 |  WU_E_SERVER_BUSY |  The server rejected an event because the server was too busy. | -|  0x8024FFFF |  WU_E_REPORTER_UNEXPECTED |  There was a reporter error not covered by another error code.  | - -## Redirector errors -The components that download the Wuredir.cab file and then parse the Wuredir.cab file generate the following errors. - -|Error code|Message|Description | -|-|-|-| -| 0x80245001| WU_E_REDIRECTOR_LOAD_XML| The redirector XML document could not be loaded into the DOM class.  | -| 0x80245002| WU_E_REDIRECTOR_S_FALSE| The redirector XML document is missing some required information. | -| 0x80245003| WU_E_REDIRECTOR_ID_SMALLER| The redirectorId in the downloaded redirector cab is less than in the cached cab.  | -| 0x80245FFF| WU_E_REDIRECTOR_UNEXPECTED| The redirector failed for reasons not covered by another WU_E_REDIRECTOR_* error code.  | - -## Protocol Talker errors -The following errors map to SOAPCLIENT_ERRORs through the Atlsoap.h file. These errors are obtained when the CClientWebService object calls the GetClientError() method. - - -| Error code | Message | Description | -|-------------|---------------------------------|------------------------------------------------------------------------------------------------------------------------------------| -|  0x80244000 |  WU_E_PT_SOAPCLIENT_BASE |  WU_E_PT_SOAPCLIENT_\* error codes map to the SOAPCLIENT_ERROR enum of the ATL Server Library. | -| 0x80244001 |  WU_E_PT_SOAPCLIENT_INITIALIZE |  Same as SOAPCLIENT_INITIALIZE_ERROR - initialization of the SOAP client failed possibly because of an MSXML installation failure. | -|  0x80244002 |  WU_E_PT_SOAPCLIENT_OUTOFMEMORY |  Same as SOAPCLIENT_OUTOFMEMORY - SOAP client failed because it ran out of memory.  | -|  0x80244003 |  WU_E_PT_SOAPCLIENT_GENERATE |  Same as SOAPCLIENT_GENERATE_ERROR - SOAP client failed to generate the request. | -|  0x80244004 |  WU_E_PT_SOAPCLIENT_CONNECT |  Same as SOAPCLIENT_CONNECT_ERROR - SOAP client failed to connect to the server.  | -|  0x80244005 |  WU_E_PT_SOAPCLIENT_SEND |  Same as SOAPCLIENT_SEND_ERROR - SOAP client failed to send a message for reasons of WU_E_WINHTTP_\* error codes. | -|  0x80244006 |  WU_E_PT_SOAPCLIENT_SERVER |  Same as SOAPCLIENT_SERVER_ERROR - SOAP client failed because there was a server error.  | -|  0x80244007 |  WU_E_PT_SOAPCLIENT_SOAPFAULT |  Same as SOAPCLIENT_SOAPFAULT - SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | -|  0x80244008 |  WU_E_PT_SOAPCLIENT_PARSEFAULT |  Same as SOAPCLIENT_PARSEFAULT_ERROR - SOAP client failed to parse a SOAP fault. | -|  0x80244009 |  WU_E_PT_SOAPCLIENT_READ |  Same as SOAPCLIENT_READ_ERROR - SOAP client failed while reading the response from the server. | -|  0x8024400A |  WU_E_PT_SOAPCLIENT_PARSE |  Same as SOAPCLIENT_PARSE_ERROR - SOAP client failed to parse the response from the server.  | - -## Other Protocol Talker errors -The following errors map to SOAP_ERROR_CODEs from the Atlsoap.h file. These errors are obtained from the m_fault.m_soapErrCode member of the CClientWebService object when GetClientError() returns SOAPCLIENT_SOAPFAULT. - - -| Error code | Message | Description | -|-------------|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -|  0x8024400B |  WU_E_PT_SOAP_VERSION |  Same as SOAP_E_VERSION_MISMATCH - SOAP client found an unrecognizable namespace for the SOAP envelope. | -|  0x8024400C |  WU_E_PT_SOAP_MUST_UNDERSTAND |  Same as SOAP_E_MUST_UNDERSTAND - SOAP client was unable to understand a header.  | -|  0x8024400D |  WU_E_PT_SOAP_CLIENT |  Same as SOAP_E_CLIENT - SOAP client found the message was malformed; fix before resending.  | -|  0x8024400E |  WU_E_PT_SOAP_SERVER |  Same as SOAP_E_SERVER - The SOAP message could not be processed due to a server error; resend later.  | -|  0x8024400F |  WU_E_PT_WMI_ERROR |  There was an unspecified Windows Management Instrumentation (WMI) error. | -|  0x80244010 |  WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS |  The number of round trips to the server exceeded the maximum limit.  | -|  0x80244011 |  WU_E_PT_SUS_SERVER_NOT_SET |  WUServer policy value is missing in the registry.  | -|  0x80244012 |  WU_E_PT_DOUBLE_INITIALIZATION |  Initialization failed because the object was already initialized.  | -|  0x80244013 |  WU_E_PT_INVALID_COMPUTER_NAME |  The computer name could not be determined.  | -|  0x80244015 |  WU_E_PT_REFRESH_CACHE_REQUIRED |  The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry. | -|  0x80244016 |  WU_E_PT_HTTP_STATUS_BAD_REQUEST |  Same as HTTP status 400 - the server could not process the request due to invalid syntax.  | -|  0x80244017 |  WU_E_PT_HTTP_STATUS_DENIED |  Same as HTTP status 401 - the requested resource requires user authentication.  | -|  0x80244018 |  WU_E_PT_HTTP_STATUS_FORBIDDEN |  Same as HTTP status 403 - server understood the request but declined to fulfill it. | -|  0x80244019 |  WU_E_PT_HTTP_STATUS_NOT_FOUND |  Same as HTTP status 404 - the server cannot find the requested URI (Uniform Resource Identifier).  | -|  0x8024401A |  WU_E_PT_HTTP_STATUS_BAD_METHOD |  Same as HTTP status 405 - the HTTP method is not allowed.  | -|  0x8024401B |  WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ |  Same as HTTP status 407 - proxy authentication is required.  | -|  0x8024401C |  WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT |  Same as HTTP status 408 - the server timed out waiting for the request.  | -|  0x8024401D |  WU_E_PT_HTTP_STATUS_CONFLICT |  Same as HTTP status 409 - the request was not completed due to a conflict with the current state of the resource.  | -|  0x8024401E |  WU_E_PT_HTTP_STATUS_GONE |  Same as HTTP status 410 - requested resource is no longer available at the server. | -|  0x8024401F |  WU_E_PT_HTTP_STATUS_SERVER_ERROR |  Same as HTTP status 500 - an error internal to the server prevented fulfilling the request.  | -|  0x80244020 |  WU_E_PT_HTTP_STATUS_NOT_SUPPORTED |  Same as HTTP status 500 - server does not support the functionality required to fulfill the request.  | -|  0x80244021 |  WU_E_PT_HTTP_STATUS_BAD_GATEWAY | Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfil the request. | -|  0x80244022 |  WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL |  Same as HTTP status 503 - the service is temporarily overloaded.  | -|  0x80244023 |  WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT |  Same as HTTP status 503 - the request was timed out waiting for a gateway.  | -|  0x80244024 |  WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP |  Same as HTTP status 505 - the server does not support the HTTP protocol version used for the request.  | -|  0x80244025 |  WU_E_PT_FILE_LOCATIONS_CHANGED |  Operation failed due to a changed file location; refresh internal state and resend. | -|  0x80244026 |  WU_E_PT_REGISTRATION_NOT_SUPPORTED |  Operation failed because Windows Update Agent does not support registration with a non-WSUS server.  | -|  0x80244027 |  WU_E_PT_NO_AUTH_PLUGINS_REQUESTED |  The server returned an empty authentication information list.  | -|  0x80244028 |  WU_E_PT_NO_AUTH_COOKIES_CREATED |  Windows Update Agent was unable to create any valid authentication cookies.  | -|  0x80244029 |  WU_E_PT_INVALID_CONFIG_PROP |  A configuration property value was wrong.  | -|  0x8024402A |  WU_E_PT_CONFIG_PROP_MISSING |  A configuration property value was missing.  | -|  0x8024402B |  WU_E_PT_HTTP_STATUS_NOT_MAPPED |  The HTTP request could not be completed and the reason did not correspond to any of the WU_E_PT_HTTP_\* error codes.  | -|  0x8024402C |  WU_E_PT_WINHTTP_NAME_NOT_RESOLVED |  Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - the proxy server or target server name cannot be resolved.  | -|  0x8024402F |  WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS |  External cab file processing completed with some errors. | -|  0x80244030 |  WU_E_PT_ECP_INIT_FAILED |  The external cab processor initialization did not complete.  | -|  0x80244031 |  WU_E_PT_ECP_INVALID_FILE_FORMAT |  The format of a metadata file was invalid.  | -|  0x80244032 |  WU_E_PT_ECP_INVALID_METADATA |  External cab processor found invalid metadata.  | -|  0x80244033 |  WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST |  The file digest could not be extracted from an external cab file.  | -|  0x80244034 |  WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE |  An external cab file could not be decompressed.  | -|  0x80244035 |  WU_E_PT_ECP_FILE_LOCATION_ERROR |  External cab processor was unable to get file locations.  | -|  0x80244FFF |  WU_E_PT_UNEXPECTED |  A communication error not covered by another WU_E_PT_\* error code.  | -|  0x8024502D |  WU_E_PT_SAME_REDIR_ID |  Windows Update Agent failed to download a redirector cabinet file with a new redirectorId value from the server during the recovery.  | -|  0x8024502E |  WU_E_PT_NO_MANAGED_RECOVER |  A redirector recovery action did not complete because the server is managed.  | - -## Download Manager errors - -| Error code | Message | Description | -|-------------|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------| -|  0x80246001 |  WU_E_DM_URLNOTAVAILABLE |  A download manager operation could not be completed because the requested file does not have a URL.  | -|  0x80246002 |  WU_E_DM_INCORRECTFILEHASH |  A download manager operation could not be completed because the file digest was not recognized.  | -|  0x80246003 |  WU_E_DM_UNKNOWNALGORITHM |  A download manager operation could not be completed because the file metadata requested an unrecognized hash algorithm.  | -|  0x80246004 |  WU_E_DM_NEEDDOWNLOADREQUEST |  An operation could not be completed because a download request is required from the download handler.  | -|  0x80246005 |  WU_E_DM_NONETWORK |  A download manager operation could not be completed because the network connection was unavailable.  | -|  0x80246006 |  WU_E_DM_WRONGBITSVERSION |  A download manager operation could not be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible. | -|  0x80246007 |  WU_E_DM_NOTDOWNLOADED |  The update has not been downloaded.  | -|  0x80246008 |  WU_E_DM_FAILTOCONNECTTOBITS |  A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS). | -|  0x80246009 | WU_E_DM_BITSTRANSFERERROR |  A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error.  | -|  0x8024600A |  WU_E_DM_DOWNLOADLOCATIONCHANGED |  A download must be restarted because the location of the source of the download has changed. | -|  0x8024600B |  WU_E_DM_CONTENTCHANGED |  A download must be restarted because the update content changed in a new revision.  | -|  0x80246FFF |  WU_E_DM_UNEXPECTED |  There was a download manager error not covered by another WU_E_DM_\* error code.  | - -## Update Handler errors - -| Error code | Message | Description | -|-------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------| -|  0x80242000 |  WU_E_UH_REMOTEUNAVAILABLE | 9 A request for a remote update handler could not be completed because no remote process is available.  | -|  0x80242001 |  WU_E_UH_LOCALONLY |  A request for a remote update handler could not be completed because the handler is local only.  | -|  0x80242002 |  WU_E_UH_UNKNOWNHANDLER |  A request for an update handler could not be completed because the handler could not be recognized.  | -|  0x80242003 |  WU_E_UH_REMOTEALREADYACTIVE |  A remote update handler could not be created because one already exists.  | -|  0x80242004 |  WU_E_UH_DOESNOTSUPPORTACTION |  A request for the handler to install (uninstall) an update could not be completed because the update does not support install (uninstall). | -|  0x80242005 |  WU_E_UH_WRONGHANDLER |  An operation did not complete because the wrong handler was specified.  | -|  0x80242006 |  WU_E_UH_INVALIDMETADATA |  A handler operation could not be completed because the update contains invalid metadata.  | -|  0x80242007 |  WU_E_UH_INSTALLERHUNG |  An operation could not be completed because the installer exceeded the time limit.  | -|  0x80242008 |  WU_E_UH_OPERATIONCANCELLED |  An operation being done by the update handler was cancelled.  | -|  0x80242009 |  WU_E_UH_BADHANDLERXML |  An operation could not be completed because the handler-specific metadata is invalid.  | -| 0x8024200A |  WU_E_UH_CANREQUIREINPUT |  A request to the handler to install an update could not be completed because the update requires user input.  | -|  0x8024200B |  WU_E_UH_INSTALLERFAILURE |  The installer failed to install (uninstall) one or more updates.  | -|  0x8024200C |  WU_E_UH_FALLBACKTOSELFCONTAINED |  The update handler should download self-contained content rather than delta-compressed content for the update.  | -|  0x8024200D |  WU_E_UH_NEEDANOTHERDOWNLOAD |  The update handler did not install the update because it needs to be downloaded again.  | -|  0x8024200E |  WU_E_UH_NOTIFYFAILURE |  The update handler failed to send notification of the status of the install (uninstall) operation.  | -|  0x8024200F | WU_E_UH_INCONSISTENT_FILE_NAMES |  The file names contained in the update metadata and in the update package are inconsistent.  | -|  0x80242010 |  WU_E_UH_FALLBACKERROR |  The update handler failed to fall back to the self-contained content.  | -|  0x80242011 |  WU_E_UH_TOOMANYDOWNLOADREQUESTS |  The update handler has exceeded the maximum number of download requests.  | -|  0x80242012 |  WU_E_UH_UNEXPECTEDCBSRESPONSE |  The update handler has received an unexpected response from CBS.  | -|  0x80242013 |  WU_E_UH_BADCBSPACKAGEID |  The update metadata contains an invalid CBS package identifier.  | -|  0x80242014 |  WU_E_UH_POSTREBOOTSTILLPENDING |  The post-reboot operation for the update is still in progress.  | -|  0x80242015 |  WU_E_UH_POSTREBOOTRESULTUNKNOWN |  The result of the post-reboot operation for the update could not be determined.  | -|  0x80242016 |  WU_E_UH_POSTREBOOTUNEXPECTEDSTATE |  The state of the update after its post-reboot operation has completed is unexpected.  | -|  0x80242017 |  WU_E_UH_NEW_SERVICING_STACK_REQUIRED |  The OS servicing stack must be updated before this update is downloaded or installed.  | -|  0x80242FFF |  WU_E_UH_UNEXPECTED |  An update handler error not covered by another WU_E_UH_\* code.  | - -## Data Store errors - -| Error code | Message | Description | -|-------------|-------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -|  0x80248000 |  WU_E_DS_SHUTDOWN |  An operation failed because Windows Update Agent is shutting down.  | -|  0x80248001 |  WU_E_DS_INUSE |  An operation failed because the data store was in use. | -|  0x80248002 |  WU_E_DS_INVALID |  The current and expected states of the data store do not match. | -|  0x80248003 |  WU_E_DS_TABLEMISSING |  The data store is missing a table.  | -|  0x80248004 |  WU_E_DS_TABLEINCORRECT |  The data store contains a table with unexpected columns.  | -|  0x80248005 |  WU_E_DS_INVALIDTABLENAME |  A table could not be opened because the table is not in the data store.  | -|  0x80248006 |  WU_E_DS_BADVERSION |  The current and expected versions of the data store do not match.  | -|  0x80248007 |  WU_E_DS_NODATA |  The information requested is not in the data store.  | -|  0x80248008 |  WU_E_DS_MISSINGDATA |  The data store is missing required information or has a NULL in a table column that requires a non-null value.  | -|  0x80248009 |  WU_E_DS_MISSINGREF |  The data store is missing required information or has a reference to missing license terms file localized property or linked row. | -|  0x8024800A |  WU_E_DS_UNKNOWNHANDLER |  The update was not processed because its update handler could not be recognized.  | -|  0x8024800B |  WU_E_DS_CANTDELETE |  The update was not deleted because it is still referenced by one or more services.  | -|  0x8024800C |  WU_E_DS_LOCKTIMEOUTEXPIRED |  The data store section could not be locked within the allotted time.  | -|  0x8024800D |  WU_E_DS_NOCATEGORIES |  The category was not added because it contains no parent categories and is not a top-level category itself.  | -|  0x8024800E |  WU_E_DS_ROWEXISTS |  The row was not added because an existing row has the same primary key.  | -|  0x8024800F |  WU_E_DS_STOREFILELOCKED |  The data store could not be initialized because it was locked by another process.  | -|  0x80248010 |  WU_E_DS_CANNOTREGISTER |  The data store is not allowed to be registered with COM in the current process.  | -|  0x80248011 | WU_E_DS_UNABLETOSTART |  Could not create a data store object in another process.  | -|  0x80248013 |  WU_E_DS_DUPLICATEUPDATEID | The server sent the same update to the client with two different revision IDs.  | -|  0x80248014 | WU_E_DS_UNKNOWNSERVICE |  An operation did not complete because the service is not in the data store.  | -| 0x80248015 | WU_E_DS_SERVICEEXPIRED | An operation did not complete because the registration of the service has expired.  | -| 0x80248016 |  WU_E_DS_DECLINENOTALLOWED |  A request to hide an update was declined because it is a mandatory update or because it was deployed with a deadline.  | -| 0x80248017 |  WU_E_DS_TABLESESSIONMISMATCH |  A table was not closed because it is not associated with the session.  | -| 0x80248018 |  WU_E_DS_SESSIONLOCKMISMATCH |  A table was not closed because it is not associated with the session.  | -| 0x80248019 |  WU_E_DS_NEEDWINDOWSSERVICE |  A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it is a built-in service and/or Automatic Updates cannot fall back to another service.  | -| 0x8024801A |  WU_E_DS_INVALIDOPERATION |  A request was declined because the operation is not allowed.  | -| 0x8024801B |  WU_E_DS_SCHEMAMISMATCH |  The schema of the current data store and the schema of a table in a backup XML document do not match.  | -| 0x8024801C |  WU_E_DS_RESETREQUIRED |  The data store requires a session reset; release the session and retry with a new session.  | -| 0x8024801D |  WU_E_DS_IMPERSONATED |  A data store operation did not complete because it was requested with an impersonated identity.  | -| 0x80248FFF |  WU_E_DS_UNEXPECTED |  A data store error not covered by another WU_E_DS_\* code.  | - -## Driver Util errors -The PnP enumerated device is removed from the System Spec because one of the hardware IDs or the compatible IDs matches an installed printer driver. This is not a fatal error, and the device is merely skipped. - -|Error code|Message|Description -|-|-|-| -| 0x8024C001 | WU_E_DRV_PRUNED| A driver was skipped.  -| 0x8024C002 |WU_E_DRV_NOPROP_OR_LEGACY| A property for the driver could not be found. It may not conform with required specifications.  -| 0x8024C003 | WU_E_DRV_REG_MISMATCH| The registry type read for the driver does not match the expected type.  -| 0x8024C004 | WU_E_DRV_NO_METADATA| The driver update is missing metadata.  -| 0x8024C005 | WU_E_DRV_MISSING_ATTRIBUTE| The driver update is missing a required attribute.  -| 0x8024C006| WU_E_DRV_SYNC_FAILED| Driver synchronization failed.  -| 0x8024C007 | WU_E_DRV_NO_PRINTER_CONTENT| Information required for the synchronization of applicable printers is missing.  -| 0x8024CFFF | WU_E_DRV_UNEXPECTED| A driver error not covered by another WU_E_DRV_* code.  - -## Windows Update error codes - -|Error code|Message|Description -|-|-|-| -| 0x80240001 | WU_E_NO_SERVICE| Windows Update Agent was unable to provide the service.  -| 0x80240002 | WU_E_MAX_CAPACITY_REACHED | The maximum capacity of the service was exceeded.  -| 0x80240003 | WU_E_UNKNOWN_ID| An ID cannot be found.  -| 0x80240004 | WU_E_NOT_INITIALIZED| The object could not be initialized.  -| 0x80240005 | WU_E_RANGEOVERLAP |The update handler requested a byte range overlapping a previously requested range.  -| 0x80240006 | WU_E_TOOMANYRANGES| The requested number of byte ranges exceeds the maximum number (2^31 - 1).  -| 0x80240007 | WU_E_INVALIDINDEX| The index to a collection was invalid.  -| 0x80240008 | WU_E_ITEMNOTFOUND| The key for the item queried could not be found.  -| 0x80240009 | WU_E_OPERATIONINPROGRESS| Another conflicting operation was in progress. Some operations such as installation cannot be performed twice simultaneously.  -| 0x8024000A | WU_E_COULDNOTCANCEL| Cancellation of the operation was not allowed.  -| 0x8024000B | WU_E_CALL_CANCELLED| Operation was cancelled.  -| 0x8024000C | WU_E_NOOP| No operation was required.  -| 0x8024000D | WU_E_XML_MISSINGDATA| Windows Update Agent could not find required information in the update's XML data.  -| 0x8024000E | WU_E_XML_INVALID| Windows Update Agent found invalid information in the update's XML data.  -| 0x8024000F | WU_E_CYCLE_DETECTED | Circular update relationships were detected in the metadata.  -| 0x80240010 | WU_E_TOO_DEEP_RELATION| Update relationships too deep to evaluate were evaluated.  -| 0x80240011 | WU_E_INVALID_RELATIONSHIP| An invalid update relationship was detected.  -| 0x80240012 | WU_E_REG_VALUE_INVALID| An invalid registry value was read.  -| 0x80240013 | WU_E_DUPLICATE_ITEM| Operation tried to add a duplicate item to a list.  -| 0x80240016 | WU_E_INSTALL_NOT_ALLOWED| Operation tried to install while another installation was in progress or the system was pending a mandatory restart.  -| 0x80240017 | WU_E_NOT_APPLICABLE| Operation was not performed because there are no applicable updates.  -| 0x80240018 | WU_E_NO_USERTOKEN| Operation failed because a required user token is missing.  -| 0x80240019 | WU_E_EXCLUSIVE_INSTALL_CONFLICT| An exclusive update cannot be installed with other updates at the same time.  -| 0x8024001A | WU_E_POLICY_NOT_SET | A policy value was not set.  -| 0x8024001B | WU_E_SELFUPDATE_IN_PROGRESS| The operation could not be performed because the Windows Update Agent is self-updating.  -| 0x8024001D | WU_E_INVALID_UPDATE| An update contains invalid metadata.  -| 0x8024001E | WU_E_SERVICE_STOP| Operation did not complete because the service or system was being shut down.  -| 0x8024001F | WU_E_NO_CONNECTION| Operation did not complete because the network connection was unavailable.  -| 0x80240020 | WU_E_NO_INTERACTIVE_USER| Operation did not complete because there is no logged-on interactive user.  -| 0x80240021 | WU_E_TIME_OUT| Operation did not complete because it timed out.  -| 0x80240022 | WU_E_ALL_UPDATES_FAILED| Operation failed for all the updates.  -| 0x80240023 | WU_E_EULAS_DECLINED| The license terms for all updates were declined.  -| 0x80240024 | WU_E_NO_UPDATE| There are no updates.  -| 0x80240025 | WU_E_USER_ACCESS_DISABLED| Group Policy settings prevented access to Windows Update.  -| 0x80240026 | WU_E_INVALID_UPDATE_TYPE| The type of update is invalid.  -| 0x80240027 | WU_E_URL_TOO_LONG| The URL exceeded the maximum length.  -| 0x80240028 | WU_E_UNINSTALL_NOT_ALLOWED| The update could not be uninstalled because the request did not originate from a WSUS server.  -| 0x80240029 | WU_E_INVALID_PRODUCT_LICENSE| Search may have missed some updates before there is an unlicensed application on the system.  -| 0x8024002A | WU_E_MISSING_HANDLER| A component required to detect applicable updates was missing.  -| 0x8024002B | WU_E_LEGACYSERVER| An operation did not complete because it requires a newer version of server.  -| 0x8024002C | WU_E_BIN_SOURCE_ABSENT| A delta-compressed update could not be installed because it required the source.  -| 0x8024002D | WU_E_SOURCE_ABSENT| A full-file update could not be installed because it required the source.  -| 0x8024002E | WU_E_WU_DISABLED| Access to an unmanaged server is not allowed.  -| 0x8024002F | WU_E_CALL_CANCELLED_BY_POLICY| Operation did not complete because the DisableWindowsUpdateAccess policy was set.  -| 0x80240030 | WU_E_INVALID_PROXY_SERVER| The format of the proxy list was invalid.  -| 0x80240031 | WU_E_INVALID_FILE| The file is in the wrong format.  -| 0x80240032 | WU_E_INVALID_CRITERIA| The search criteria string was invalid.  -| 0x80240033 | WU_E_EULA_UNAVAILABLE| License terms could not be downloaded.  -| 0x80240034 | WU_E_DOWNLOAD_FAILED| Update failed to download.  -| 0x80240035 | WU_E_UPDATE_NOT_PROCESSED| The update was not processed.  -| 0x80240036 | WU_E_INVALID_OPERATION| The object's current state did not allow the operation.  -| 0x80240037 | WU_E_NOT_SUPPORTED| The functionality for the operation is not supported.  -| 0x80240038 | WU_E_WINHTTP_INVALID_FILE| The downloaded file has an unexpected content type.  -| 0x80240039 | WU_E_TOO_MANY_RESYNC| Agent is asked by server to resync too many times.  -| 0x80240040 | WU_E_NO_SERVER_CORE_SUPPORT| WUA API method does not run on Server Core installation.  -| 0x80240041 | WU_E_SYSPREP_IN_PROGRESS| Service is not available while sysprep is running.  -| 0x80240042 | WU_E_UNKNOWN_SERVICE| The update service is no longer registered with AU.  -| 0x80240043 | WU_E_NO_UI_SUPPORT| There is no support for WUA UI.  -| 0x80240FFF | WU_E_UNEXPECTED| An operation failed due to reasons not covered by another error code.  - -## Windows Update success codes - -|Error code|Message|Description -|-|-|-| -| 0x00240001| WU_S_SERVICE_STOP| Windows Update Agent was stopped successfully.  -| 0x00240002 | WU_S_SELFUPDATE| Windows Update Agent updated itself.  -| 0x00240003 | WU_S_UPDATE_ERROR| Operation completed successfully but there were errors applying the updates.  -| 0x00240004 | WU_S_MARKED_FOR_DISCONNECT| A callback was marked to be disconnected later because the request to disconnect the operation came while a callback was executing.  -| 0x00240005 | WU_S_REBOOT_REQUIRED| The system must be restarted to complete installation of the update.  -| 0x00240006 | WU_S_ALREADY_INSTALLED| The update to be installed is already installed on the system.  -| 0x00240007 | WU_S_ALREADY_UNINSTALLED | The update to be removed is not installed on the system.  -| 0x00240008 | WU_S_ALREADY_DOWNLOADED| The update to be downloaded has already been downloaded.  - -## Windows Installer minor errors -The following errors are used to indicate that part of a search fails because of Windows Installer problems. Another part of the search may successfully return updates. All Windows Installer minor codes must share the same error code range so that the caller can tell that they are related to Windows Installer. - -|Error code|Message|Description -|-|-|-| -| 0x80241001 |WU_E_MSI_WRONG_VERSION| Search may have missed some updates because the Windows Installer is less than version 3.1.  -| 0x80241002 | WU_E_MSI_NOT_CONFIGURED| Search may have missed some updates because the Windows Installer is not configured.  -| 0x80241003 | WU_E_MSP_DISABLED| Search may have missed some updates because policy has disabled Windows Installer patching.  -| 0x80241004 | WU_E_MSI_WRONG_APP_CONTEXT| An update could not be applied because the application is installed per-user.  -| 0x80241FFF | WU_E_MSP_UNEXPECTED| Search may have missed some updates because there was a failure of the Windows Installer.  - -## Windows Update Agent update and setup errors - -|Error code|Message|Description -|-|-|-| -| 0x8024D001 | WU_E_SETUP_INVALID_INFDATA| Windows Update Agent could not be updated because an INF file contains invalid information.  -| 0x8024D002 | WU_E_SETUP_INVALID_IDENTDATA| Windows Update Agent could not be updated because the wuident.cab file contains invalid information.  -| 0x8024D003 | WU_E_SETUP_ALREADY_INITIALIZED| Windows Update Agent could not be updated because of an internal error that caused setup initialization to be performed twice.  -| 0x8024D004 | WU_E_SETUP_NOT_INITIALIZED| Windows Update Agent could not be updated because setup initialization never completed successfully.  -| 0x8024D005 | WU_E_SETUP_SOURCE_VERSION_MISMATCH| Windows Update Agent could not be updated because the versions specified in the INF do not match the actual source file versions.  -| 0x8024D006 | WU_E_SETUP_TARGET_VERSION_GREATER| Windows Update Agent could not be updated because a WUA file on the target system is newer than the corresponding source file.  -| 0x8024D007 | WU_E_SETUP_REGISTRATION_FAILED| Windows Update Agent could not be updated because regsvr32.exe returned an error.  -| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE| An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file.  -| 0x8024D00A | WU_E_SETUP_UNSUPPORTED_CONFIGURATION| Windows Update Agent could not be updated because the current system configuration is not supported.  -| 0x8024D00B | WU_E_SETUP_BLOCKED_CONFIGURATION| Windows Update Agent could not be updated because the system is configured to block the update.  -| 0x8024D00C | WU_E_SETUP_REBOOT_TO_FIX| Windows Update Agent could not be updated because a restart of the system is required.  -| 0x8024D00D | WU_E_SETUP_ALREADYRUNNING| Windows Update Agent setup is already running.  -| 0x8024D00E | WU_E_SETUP_REBOOTREQUIRED| Windows Update Agent setup package requires a reboot to complete installation.  -| 0x8024D00F | WU_E_SETUP_HANDLER_EXEC_FAILURE| Windows Update Agent could not be updated because the setup handler failed during execution.  -| 0x8024D010 | WU_E_SETUP_INVALID_REGISTRY_DATA| Windows Update Agent could not be updated because the registry contains invalid information.  -| 0x8024D013 | WU_E_SETUP_WRONG_SERVER_VERSION| Windows Update Agent could not be updated because the server does not contain update information for this version.  -| 0x8024DFFF | WU_E_SETUP_UNEXPECTED| Windows Update Agent could not be updated because of an error not covered by another WU_E_SETUP_* error code.  +--- +title: Windows Update error code list by component +description: Reference information for Windows Update error codes +ms.prod: w10 +ms.mktglfcycl: +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationprioauthor: jaimeo +ms.audience: itpro +author: jaimeo +ms.date: 09/18/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Windows Update error codes by component + +>Applies to: Windows 10 + + +This section lists the error codes for Microsoft Windows Update. + +## Automatic Update Errors + +| Error code | Message | Description | +|------------|-------------------------------|--------------------------------------------------------------------------------------------------------| +| 0x80243FFF | WU_E_AUCLIENT_UNEXPECTED | There was a user interface error not covered by another WU_E_AUCLIENT_\* error code. | +| 0x8024A000 | WU_E_AU_NOSERVICE | Automatic Updates was unable to service incoming requests.  | +| 0x8024A002 | WU_E_AU_NONLEGACYSERVER | The old version of the Automatic Updates client has stopped because the WSUS server has been upgraded. | +| 0x8024A003 | WU_E_AU_LEGACYCLIENTDISABLED |  The old version of the Automatic Updates client was disabled. | +| 0x8024A004 | WU_E_AU_PAUSED | Automatic Updates was unable to process incoming requests because it was paused. | +| 0x8024A005 | WU_E_AU_NO_REGISTERED_SERVICE |  No unmanaged service is registered with AU. | +| 0x8024AFFF | WU_E_AU_UNEXPECTED |  An Automatic Updates error not covered by another WU_E_AU \* code. | + +## Windows Update UI errors + +| Error code | Message | Description | +|------------|-------------------------------------------|--------------------------------------------------------------------------------------------------------------------------| +| 0x80243001 | WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION | The results of download and installation could not be read from the registry due to an unrecognized data format version. | +| 0x80243002 | WU_E_INSTALLATION_RESULTS_INVALID_DATA | The results of download and installation could not be read from the registry due to an invalid data format. | +| 0x80243003 | WU_E_INSTALLATION_RESULTS_NOT_FOUND | The results of download and installation are not available; the operation may have failed to start. | +| 0x80243004 |  WU_E_TRAYICON_FAILURE |  A failure occurred when trying to create an icon in the taskbar notification area. | +| 0x80243FFD |  WU_E_NON_UI_MODE |  Unable to show UI when in non-UI mode; WU client UI modules may not be installed.  | +| 0x80243FFE |  WU_E_WUCLTUI_UNSUPPORTED_VERSION |  Unsupported version of WU client UI exported functions.  | +| 0x80243FFF |  WU_E_AUCLIENT_UNEXPECTED |  There was a user interface error not covered by another WU_E_AUCLIENT_\* error code.  | + +## Inventory errors + +| Error code | Message | Description | +|------------|-------------------------------------------|-------------------------------------------------------------------------------| +| 0x80249001 |  WU_E_INVENTORY_PARSEFAILED |  Parsing of the rule file failed.  | +| 0x80249002 |  WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED |  Failed to get the requested inventory type from the server.  | +| 0x80249003 |  WU_E_INVENTORY_RESULT_UPLOAD_FAILED |  Failed to upload inventory result to the server.  | +| 0x80249004 |  WU_E_INVENTORY_UNEXPECTED |  There was an inventory error not covered by another error code. | +| 0x80249005 |  WU_E_INVENTORY_WMI_ERROR |  A WMI error occurred when enumerating the instances for a particular class.  | + +## Expression evaluator errors + +| Error code | Message | Description | +|-------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------| +| 0x8024E001 |  WU_E_EE_UNKNOWN_EXPRESSION |  An expression evaluator operation could not be completed because an expression was unrecognized. | +| 0x8024E002 |  WU_E_EE_INVALID_EXPRESSION |  An expression evaluator operation could not be completed because an expression was invalid.  | +| 0x8024E003 |  WU_E_EE_MISSING_METADATA |  An expression evaluator operation could not be completed because an expression contains an incorrect number of metadata nodes.  | +| 0x8024E004 |  WU_E_EE_INVALID_VERSION |  An expression evaluator operation could not be completed because the version of the serialized expression data is invalid.  | +|  0x8024E005 |  WU_E_EE_NOT_INITIALIZED |  The expression evaluator could not be initialized. | +|  0x8024E006 |  WU_E_EE_INVALID_ATTRIBUTEDATA |  An expression evaluator operation could not be completed because there was an invalid attribute. | +|  0x8024E007 |  WU_E_EE_CLUSTER_ERROR |  An expression evaluator operation could not be completed because the cluster state of the computer could not be determined.  | +|  0x8024EFFF |  WU_E_EE_UNEXPECTED |  There was an expression evaluator error not covered by another WU_E_EE_\* error code.  | + +## Reporter errors + +| Error code | Message | Description | +|-------------|------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| +|  0x80247001 |  WU_E_OL_INVALID_SCANFILE |  An operation could not be completed because the scan package was invalid. | +| 0x80247002 |  WU_E_OL_NEWCLIENT_REQUIRED |  An operation could not be completed because the scan package requires a greater version of the Windows Update Agent. | +|  0x80247FFF |  WU_E_OL_UNEXPECTED |  Search using the scan package failed.  | +|  0x8024F001 |  WU_E_REPORTER_EVENTCACHECORRUPT |  The event cache file was defective.  | +|  0x8024F002 |  WU_E_REPORTER_EVENTNAMESPACEPARSEFAILED |  The XML in the event namespace descriptor could not be parsed. | +|  0x8024F003 |  WU_E_INVALID_EVENT |  The XML in the event namespace descriptor could not be parsed. | +|  0x8024F004 |  WU_E_SERVER_BUSY |  The server rejected an event because the server was too busy. | +|  0x8024FFFF |  WU_E_REPORTER_UNEXPECTED |  There was a reporter error not covered by another error code.  | + +## Redirector errors +The components that download the Wuredir.cab file and then parse the Wuredir.cab file generate the following errors. + +|Error code|Message|Description | +|-|-|-| +| 0x80245001| WU_E_REDIRECTOR_LOAD_XML| The redirector XML document could not be loaded into the DOM class.  | +| 0x80245002| WU_E_REDIRECTOR_S_FALSE| The redirector XML document is missing some required information. | +| 0x80245003| WU_E_REDIRECTOR_ID_SMALLER| The redirectorId in the downloaded redirector cab is less than in the cached cab.  | +| 0x80245FFF| WU_E_REDIRECTOR_UNEXPECTED| The redirector failed for reasons not covered by another WU_E_REDIRECTOR_* error code.  | + +## Protocol Talker errors +The following errors map to SOAPCLIENT_ERRORs through the Atlsoap.h file. These errors are obtained when the CClientWebService object calls the GetClientError() method. + + +| Error code | Message | Description | +|-------------|---------------------------------|------------------------------------------------------------------------------------------------------------------------------------| +|  0x80244000 |  WU_E_PT_SOAPCLIENT_BASE |  WU_E_PT_SOAPCLIENT_\* error codes map to the SOAPCLIENT_ERROR enum of the ATL Server Library. | +| 0x80244001 |  WU_E_PT_SOAPCLIENT_INITIALIZE |  Same as SOAPCLIENT_INITIALIZE_ERROR - initialization of the SOAP client failed possibly because of an MSXML installation failure. | +|  0x80244002 |  WU_E_PT_SOAPCLIENT_OUTOFMEMORY |  Same as SOAPCLIENT_OUTOFMEMORY - SOAP client failed because it ran out of memory.  | +|  0x80244003 |  WU_E_PT_SOAPCLIENT_GENERATE |  Same as SOAPCLIENT_GENERATE_ERROR - SOAP client failed to generate the request. | +|  0x80244004 |  WU_E_PT_SOAPCLIENT_CONNECT |  Same as SOAPCLIENT_CONNECT_ERROR - SOAP client failed to connect to the server.  | +|  0x80244005 |  WU_E_PT_SOAPCLIENT_SEND |  Same as SOAPCLIENT_SEND_ERROR - SOAP client failed to send a message for reasons of WU_E_WINHTTP_\* error codes. | +|  0x80244006 |  WU_E_PT_SOAPCLIENT_SERVER |  Same as SOAPCLIENT_SERVER_ERROR - SOAP client failed because there was a server error.  | +|  0x80244007 |  WU_E_PT_SOAPCLIENT_SOAPFAULT |  Same as SOAPCLIENT_SOAPFAULT - SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | +|  0x80244008 |  WU_E_PT_SOAPCLIENT_PARSEFAULT |  Same as SOAPCLIENT_PARSEFAULT_ERROR - SOAP client failed to parse a SOAP fault. | +|  0x80244009 |  WU_E_PT_SOAPCLIENT_READ |  Same as SOAPCLIENT_READ_ERROR - SOAP client failed while reading the response from the server. | +|  0x8024400A |  WU_E_PT_SOAPCLIENT_PARSE |  Same as SOAPCLIENT_PARSE_ERROR - SOAP client failed to parse the response from the server.  | + +## Other Protocol Talker errors +The following errors map to SOAP_ERROR_CODEs from the Atlsoap.h file. These errors are obtained from the m_fault.m_soapErrCode member of the CClientWebService object when GetClientError() returns SOAPCLIENT_SOAPFAULT. + + +| Error code | Message | Description | +|-------------|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +|  0x8024400B |  WU_E_PT_SOAP_VERSION |  Same as SOAP_E_VERSION_MISMATCH - SOAP client found an unrecognizable namespace for the SOAP envelope. | +|  0x8024400C |  WU_E_PT_SOAP_MUST_UNDERSTAND |  Same as SOAP_E_MUST_UNDERSTAND - SOAP client was unable to understand a header.  | +|  0x8024400D |  WU_E_PT_SOAP_CLIENT |  Same as SOAP_E_CLIENT - SOAP client found the message was malformed; fix before resending.  | +|  0x8024400E |  WU_E_PT_SOAP_SERVER |  Same as SOAP_E_SERVER - The SOAP message could not be processed due to a server error; resend later.  | +|  0x8024400F |  WU_E_PT_WMI_ERROR |  There was an unspecified Windows Management Instrumentation (WMI) error. | +|  0x80244010 |  WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS |  The number of round trips to the server exceeded the maximum limit.  | +|  0x80244011 |  WU_E_PT_SUS_SERVER_NOT_SET |  WUServer policy value is missing in the registry.  | +|  0x80244012 |  WU_E_PT_DOUBLE_INITIALIZATION |  Initialization failed because the object was already initialized.  | +|  0x80244013 |  WU_E_PT_INVALID_COMPUTER_NAME |  The computer name could not be determined.  | +|  0x80244015 |  WU_E_PT_REFRESH_CACHE_REQUIRED |  The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry. | +|  0x80244016 |  WU_E_PT_HTTP_STATUS_BAD_REQUEST |  Same as HTTP status 400 - the server could not process the request due to invalid syntax.  | +|  0x80244017 |  WU_E_PT_HTTP_STATUS_DENIED |  Same as HTTP status 401 - the requested resource requires user authentication.  | +|  0x80244018 |  WU_E_PT_HTTP_STATUS_FORBIDDEN |  Same as HTTP status 403 - server understood the request but declined to fulfill it. | +|  0x80244019 |  WU_E_PT_HTTP_STATUS_NOT_FOUND |  Same as HTTP status 404 - the server cannot find the requested URI (Uniform Resource Identifier).  | +|  0x8024401A |  WU_E_PT_HTTP_STATUS_BAD_METHOD |  Same as HTTP status 405 - the HTTP method is not allowed.  | +|  0x8024401B |  WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ |  Same as HTTP status 407 - proxy authentication is required.  | +|  0x8024401C |  WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT |  Same as HTTP status 408 - the server timed out waiting for the request.  | +|  0x8024401D |  WU_E_PT_HTTP_STATUS_CONFLICT |  Same as HTTP status 409 - the request was not completed due to a conflict with the current state of the resource.  | +|  0x8024401E |  WU_E_PT_HTTP_STATUS_GONE |  Same as HTTP status 410 - requested resource is no longer available at the server. | +|  0x8024401F |  WU_E_PT_HTTP_STATUS_SERVER_ERROR |  Same as HTTP status 500 - an error internal to the server prevented fulfilling the request.  | +|  0x80244020 |  WU_E_PT_HTTP_STATUS_NOT_SUPPORTED |  Same as HTTP status 500 - server does not support the functionality required to fulfill the request.  | +|  0x80244021 |  WU_E_PT_HTTP_STATUS_BAD_GATEWAY | Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfil the request. | +|  0x80244022 |  WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL |  Same as HTTP status 503 - the service is temporarily overloaded.  | +|  0x80244023 |  WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT |  Same as HTTP status 503 - the request was timed out waiting for a gateway.  | +|  0x80244024 |  WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP |  Same as HTTP status 505 - the server does not support the HTTP protocol version used for the request.  | +|  0x80244025 |  WU_E_PT_FILE_LOCATIONS_CHANGED |  Operation failed due to a changed file location; refresh internal state and resend. | +|  0x80244026 |  WU_E_PT_REGISTRATION_NOT_SUPPORTED |  Operation failed because Windows Update Agent does not support registration with a non-WSUS server.  | +|  0x80244027 |  WU_E_PT_NO_AUTH_PLUGINS_REQUESTED |  The server returned an empty authentication information list.  | +|  0x80244028 |  WU_E_PT_NO_AUTH_COOKIES_CREATED |  Windows Update Agent was unable to create any valid authentication cookies.  | +|  0x80244029 |  WU_E_PT_INVALID_CONFIG_PROP |  A configuration property value was wrong.  | +|  0x8024402A |  WU_E_PT_CONFIG_PROP_MISSING |  A configuration property value was missing.  | +|  0x8024402B |  WU_E_PT_HTTP_STATUS_NOT_MAPPED |  The HTTP request could not be completed and the reason did not correspond to any of the WU_E_PT_HTTP_\* error codes.  | +|  0x8024402C |  WU_E_PT_WINHTTP_NAME_NOT_RESOLVED |  Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - the proxy server or target server name cannot be resolved.  | +|  0x8024402F |  WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS |  External cab file processing completed with some errors. | +|  0x80244030 |  WU_E_PT_ECP_INIT_FAILED |  The external cab processor initialization did not complete.  | +|  0x80244031 |  WU_E_PT_ECP_INVALID_FILE_FORMAT |  The format of a metadata file was invalid.  | +|  0x80244032 |  WU_E_PT_ECP_INVALID_METADATA |  External cab processor found invalid metadata.  | +|  0x80244033 |  WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST |  The file digest could not be extracted from an external cab file.  | +|  0x80244034 |  WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE |  An external cab file could not be decompressed.  | +|  0x80244035 |  WU_E_PT_ECP_FILE_LOCATION_ERROR |  External cab processor was unable to get file locations.  | +|  0x80244FFF |  WU_E_PT_UNEXPECTED |  A communication error not covered by another WU_E_PT_\* error code.  | +|  0x8024502D |  WU_E_PT_SAME_REDIR_ID |  Windows Update Agent failed to download a redirector cabinet file with a new redirectorId value from the server during the recovery.  | +|  0x8024502E |  WU_E_PT_NO_MANAGED_RECOVER |  A redirector recovery action did not complete because the server is managed.  | + +## Download Manager errors + +| Error code | Message | Description | +|-------------|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------| +|  0x80246001 |  WU_E_DM_URLNOTAVAILABLE |  A download manager operation could not be completed because the requested file does not have a URL.  | +|  0x80246002 |  WU_E_DM_INCORRECTFILEHASH |  A download manager operation could not be completed because the file digest was not recognized.  | +|  0x80246003 |  WU_E_DM_UNKNOWNALGORITHM |  A download manager operation could not be completed because the file metadata requested an unrecognized hash algorithm.  | +|  0x80246004 |  WU_E_DM_NEEDDOWNLOADREQUEST |  An operation could not be completed because a download request is required from the download handler.  | +|  0x80246005 |  WU_E_DM_NONETWORK |  A download manager operation could not be completed because the network connection was unavailable.  | +|  0x80246006 |  WU_E_DM_WRONGBITSVERSION |  A download manager operation could not be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible. | +|  0x80246007 |  WU_E_DM_NOTDOWNLOADED |  The update has not been downloaded.  | +|  0x80246008 |  WU_E_DM_FAILTOCONNECTTOBITS |  A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS). | +|  0x80246009 | WU_E_DM_BITSTRANSFERERROR |  A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error.  | +|  0x8024600A |  WU_E_DM_DOWNLOADLOCATIONCHANGED |  A download must be restarted because the location of the source of the download has changed. | +|  0x8024600B |  WU_E_DM_CONTENTCHANGED |  A download must be restarted because the update content changed in a new revision.  | +|  0x80246FFF |  WU_E_DM_UNEXPECTED |  There was a download manager error not covered by another WU_E_DM_\* error code.  | + +## Update Handler errors + +| Error code | Message | Description | +|-------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------| +|  0x80242000 |  WU_E_UH_REMOTEUNAVAILABLE | 9 A request for a remote update handler could not be completed because no remote process is available.  | +|  0x80242001 |  WU_E_UH_LOCALONLY |  A request for a remote update handler could not be completed because the handler is local only.  | +|  0x80242002 |  WU_E_UH_UNKNOWNHANDLER |  A request for an update handler could not be completed because the handler could not be recognized.  | +|  0x80242003 |  WU_E_UH_REMOTEALREADYACTIVE |  A remote update handler could not be created because one already exists.  | +|  0x80242004 |  WU_E_UH_DOESNOTSUPPORTACTION |  A request for the handler to install (uninstall) an update could not be completed because the update does not support install (uninstall). | +|  0x80242005 |  WU_E_UH_WRONGHANDLER |  An operation did not complete because the wrong handler was specified.  | +|  0x80242006 |  WU_E_UH_INVALIDMETADATA |  A handler operation could not be completed because the update contains invalid metadata.  | +|  0x80242007 |  WU_E_UH_INSTALLERHUNG |  An operation could not be completed because the installer exceeded the time limit.  | +|  0x80242008 |  WU_E_UH_OPERATIONCANCELLED |  An operation being done by the update handler was cancelled.  | +|  0x80242009 |  WU_E_UH_BADHANDLERXML |  An operation could not be completed because the handler-specific metadata is invalid.  | +| 0x8024200A |  WU_E_UH_CANREQUIREINPUT |  A request to the handler to install an update could not be completed because the update requires user input.  | +|  0x8024200B |  WU_E_UH_INSTALLERFAILURE |  The installer failed to install (uninstall) one or more updates.  | +|  0x8024200C |  WU_E_UH_FALLBACKTOSELFCONTAINED |  The update handler should download self-contained content rather than delta-compressed content for the update.  | +|  0x8024200D |  WU_E_UH_NEEDANOTHERDOWNLOAD |  The update handler did not install the update because it needs to be downloaded again.  | +|  0x8024200E |  WU_E_UH_NOTIFYFAILURE |  The update handler failed to send notification of the status of the install (uninstall) operation.  | +|  0x8024200F | WU_E_UH_INCONSISTENT_FILE_NAMES |  The file names contained in the update metadata and in the update package are inconsistent.  | +|  0x80242010 |  WU_E_UH_FALLBACKERROR |  The update handler failed to fall back to the self-contained content.  | +|  0x80242011 |  WU_E_UH_TOOMANYDOWNLOADREQUESTS |  The update handler has exceeded the maximum number of download requests.  | +|  0x80242012 |  WU_E_UH_UNEXPECTEDCBSRESPONSE |  The update handler has received an unexpected response from CBS.  | +|  0x80242013 |  WU_E_UH_BADCBSPACKAGEID |  The update metadata contains an invalid CBS package identifier.  | +|  0x80242014 |  WU_E_UH_POSTREBOOTSTILLPENDING |  The post-reboot operation for the update is still in progress.  | +|  0x80242015 |  WU_E_UH_POSTREBOOTRESULTUNKNOWN |  The result of the post-reboot operation for the update could not be determined.  | +|  0x80242016 |  WU_E_UH_POSTREBOOTUNEXPECTEDSTATE |  The state of the update after its post-reboot operation has completed is unexpected.  | +|  0x80242017 |  WU_E_UH_NEW_SERVICING_STACK_REQUIRED |  The OS servicing stack must be updated before this update is downloaded or installed.  | +|  0x80242FFF |  WU_E_UH_UNEXPECTED |  An update handler error not covered by another WU_E_UH_\* code.  | + +## Data Store errors + +| Error code | Message | Description | +|-------------|-------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +|  0x80248000 |  WU_E_DS_SHUTDOWN |  An operation failed because Windows Update Agent is shutting down.  | +|  0x80248001 |  WU_E_DS_INUSE |  An operation failed because the data store was in use. | +|  0x80248002 |  WU_E_DS_INVALID |  The current and expected states of the data store do not match. | +|  0x80248003 |  WU_E_DS_TABLEMISSING |  The data store is missing a table.  | +|  0x80248004 |  WU_E_DS_TABLEINCORRECT |  The data store contains a table with unexpected columns.  | +|  0x80248005 |  WU_E_DS_INVALIDTABLENAME |  A table could not be opened because the table is not in the data store.  | +|  0x80248006 |  WU_E_DS_BADVERSION |  The current and expected versions of the data store do not match.  | +|  0x80248007 |  WU_E_DS_NODATA |  The information requested is not in the data store.  | +|  0x80248008 |  WU_E_DS_MISSINGDATA |  The data store is missing required information or has a NULL in a table column that requires a non-null value.  | +|  0x80248009 |  WU_E_DS_MISSINGREF |  The data store is missing required information or has a reference to missing license terms file localized property or linked row. | +|  0x8024800A |  WU_E_DS_UNKNOWNHANDLER |  The update was not processed because its update handler could not be recognized.  | +|  0x8024800B |  WU_E_DS_CANTDELETE |  The update was not deleted because it is still referenced by one or more services.  | +|  0x8024800C |  WU_E_DS_LOCKTIMEOUTEXPIRED |  The data store section could not be locked within the allotted time.  | +|  0x8024800D |  WU_E_DS_NOCATEGORIES |  The category was not added because it contains no parent categories and is not a top-level category itself.  | +|  0x8024800E |  WU_E_DS_ROWEXISTS |  The row was not added because an existing row has the same primary key.  | +|  0x8024800F |  WU_E_DS_STOREFILELOCKED |  The data store could not be initialized because it was locked by another process.  | +|  0x80248010 |  WU_E_DS_CANNOTREGISTER |  The data store is not allowed to be registered with COM in the current process.  | +|  0x80248011 | WU_E_DS_UNABLETOSTART |  Could not create a data store object in another process.  | +|  0x80248013 |  WU_E_DS_DUPLICATEUPDATEID | The server sent the same update to the client with two different revision IDs.  | +|  0x80248014 | WU_E_DS_UNKNOWNSERVICE |  An operation did not complete because the service is not in the data store.  | +| 0x80248015 | WU_E_DS_SERVICEEXPIRED | An operation did not complete because the registration of the service has expired.  | +| 0x80248016 |  WU_E_DS_DECLINENOTALLOWED |  A request to hide an update was declined because it is a mandatory update or because it was deployed with a deadline.  | +| 0x80248017 |  WU_E_DS_TABLESESSIONMISMATCH |  A table was not closed because it is not associated with the session.  | +| 0x80248018 |  WU_E_DS_SESSIONLOCKMISMATCH |  A table was not closed because it is not associated with the session.  | +| 0x80248019 |  WU_E_DS_NEEDWINDOWSSERVICE |  A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it is a built-in service and/or Automatic Updates cannot fall back to another service.  | +| 0x8024801A |  WU_E_DS_INVALIDOPERATION |  A request was declined because the operation is not allowed.  | +| 0x8024801B |  WU_E_DS_SCHEMAMISMATCH |  The schema of the current data store and the schema of a table in a backup XML document do not match.  | +| 0x8024801C |  WU_E_DS_RESETREQUIRED |  The data store requires a session reset; release the session and retry with a new session.  | +| 0x8024801D |  WU_E_DS_IMPERSONATED |  A data store operation did not complete because it was requested with an impersonated identity.  | +| 0x80248FFF |  WU_E_DS_UNEXPECTED |  A data store error not covered by another WU_E_DS_\* code.  | + +## Driver Util errors +The PnP enumerated device is removed from the System Spec because one of the hardware IDs or the compatible IDs matches an installed printer driver. This is not a fatal error, and the device is merely skipped. + +|Error code|Message|Description +|-|-|-| +| 0x8024C001 | WU_E_DRV_PRUNED| A driver was skipped.  +| 0x8024C002 |WU_E_DRV_NOPROP_OR_LEGACY| A property for the driver could not be found. It may not conform with required specifications.  +| 0x8024C003 | WU_E_DRV_REG_MISMATCH| The registry type read for the driver does not match the expected type.  +| 0x8024C004 | WU_E_DRV_NO_METADATA| The driver update is missing metadata.  +| 0x8024C005 | WU_E_DRV_MISSING_ATTRIBUTE| The driver update is missing a required attribute.  +| 0x8024C006| WU_E_DRV_SYNC_FAILED| Driver synchronization failed.  +| 0x8024C007 | WU_E_DRV_NO_PRINTER_CONTENT| Information required for the synchronization of applicable printers is missing.  +| 0x8024CFFF | WU_E_DRV_UNEXPECTED| A driver error not covered by another WU_E_DRV_* code.  + +## Windows Update error codes + +|Error code|Message|Description +|-|-|-| +| 0x80240001 | WU_E_NO_SERVICE| Windows Update Agent was unable to provide the service.  +| 0x80240002 | WU_E_MAX_CAPACITY_REACHED | The maximum capacity of the service was exceeded.  +| 0x80240003 | WU_E_UNKNOWN_ID| An ID cannot be found.  +| 0x80240004 | WU_E_NOT_INITIALIZED| The object could not be initialized.  +| 0x80240005 | WU_E_RANGEOVERLAP |The update handler requested a byte range overlapping a previously requested range.  +| 0x80240006 | WU_E_TOOMANYRANGES| The requested number of byte ranges exceeds the maximum number (2^31 - 1).  +| 0x80240007 | WU_E_INVALIDINDEX| The index to a collection was invalid.  +| 0x80240008 | WU_E_ITEMNOTFOUND| The key for the item queried could not be found.  +| 0x80240009 | WU_E_OPERATIONINPROGRESS| Another conflicting operation was in progress. Some operations such as installation cannot be performed twice simultaneously.  +| 0x8024000A | WU_E_COULDNOTCANCEL| Cancellation of the operation was not allowed.  +| 0x8024000B | WU_E_CALL_CANCELLED| Operation was cancelled.  +| 0x8024000C | WU_E_NOOP| No operation was required.  +| 0x8024000D | WU_E_XML_MISSINGDATA| Windows Update Agent could not find required information in the update's XML data.  +| 0x8024000E | WU_E_XML_INVALID| Windows Update Agent found invalid information in the update's XML data.  +| 0x8024000F | WU_E_CYCLE_DETECTED | Circular update relationships were detected in the metadata.  +| 0x80240010 | WU_E_TOO_DEEP_RELATION| Update relationships too deep to evaluate were evaluated.  +| 0x80240011 | WU_E_INVALID_RELATIONSHIP| An invalid update relationship was detected.  +| 0x80240012 | WU_E_REG_VALUE_INVALID| An invalid registry value was read.  +| 0x80240013 | WU_E_DUPLICATE_ITEM| Operation tried to add a duplicate item to a list.  +| 0x80240016 | WU_E_INSTALL_NOT_ALLOWED| Operation tried to install while another installation was in progress or the system was pending a mandatory restart.  +| 0x80240017 | WU_E_NOT_APPLICABLE| Operation was not performed because there are no applicable updates.  +| 0x80240018 | WU_E_NO_USERTOKEN| Operation failed because a required user token is missing.  +| 0x80240019 | WU_E_EXCLUSIVE_INSTALL_CONFLICT| An exclusive update cannot be installed with other updates at the same time.  +| 0x8024001A | WU_E_POLICY_NOT_SET | A policy value was not set.  +| 0x8024001B | WU_E_SELFUPDATE_IN_PROGRESS| The operation could not be performed because the Windows Update Agent is self-updating.  +| 0x8024001D | WU_E_INVALID_UPDATE| An update contains invalid metadata.  +| 0x8024001E | WU_E_SERVICE_STOP| Operation did not complete because the service or system was being shut down.  +| 0x8024001F | WU_E_NO_CONNECTION| Operation did not complete because the network connection was unavailable.  +| 0x80240020 | WU_E_NO_INTERACTIVE_USER| Operation did not complete because there is no logged-on interactive user.  +| 0x80240021 | WU_E_TIME_OUT| Operation did not complete because it timed out.  +| 0x80240022 | WU_E_ALL_UPDATES_FAILED| Operation failed for all the updates.  +| 0x80240023 | WU_E_EULAS_DECLINED| The license terms for all updates were declined.  +| 0x80240024 | WU_E_NO_UPDATE| There are no updates.  +| 0x80240025 | WU_E_USER_ACCESS_DISABLED| Group Policy settings prevented access to Windows Update.  +| 0x80240026 | WU_E_INVALID_UPDATE_TYPE| The type of update is invalid.  +| 0x80240027 | WU_E_URL_TOO_LONG| The URL exceeded the maximum length.  +| 0x80240028 | WU_E_UNINSTALL_NOT_ALLOWED| The update could not be uninstalled because the request did not originate from a WSUS server.  +| 0x80240029 | WU_E_INVALID_PRODUCT_LICENSE| Search may have missed some updates before there is an unlicensed application on the system.  +| 0x8024002A | WU_E_MISSING_HANDLER| A component required to detect applicable updates was missing.  +| 0x8024002B | WU_E_LEGACYSERVER| An operation did not complete because it requires a newer version of server.  +| 0x8024002C | WU_E_BIN_SOURCE_ABSENT| A delta-compressed update could not be installed because it required the source.  +| 0x8024002D | WU_E_SOURCE_ABSENT| A full-file update could not be installed because it required the source.  +| 0x8024002E | WU_E_WU_DISABLED| Access to an unmanaged server is not allowed.  +| 0x8024002F | WU_E_CALL_CANCELLED_BY_POLICY| Operation did not complete because the DisableWindowsUpdateAccess policy was set.  +| 0x80240030 | WU_E_INVALID_PROXY_SERVER| The format of the proxy list was invalid.  +| 0x80240031 | WU_E_INVALID_FILE| The file is in the wrong format.  +| 0x80240032 | WU_E_INVALID_CRITERIA| The search criteria string was invalid.  +| 0x80240033 | WU_E_EULA_UNAVAILABLE| License terms could not be downloaded.  +| 0x80240034 | WU_E_DOWNLOAD_FAILED| Update failed to download.  +| 0x80240035 | WU_E_UPDATE_NOT_PROCESSED| The update was not processed.  +| 0x80240036 | WU_E_INVALID_OPERATION| The object's current state did not allow the operation.  +| 0x80240037 | WU_E_NOT_SUPPORTED| The functionality for the operation is not supported.  +| 0x80240038 | WU_E_WINHTTP_INVALID_FILE| The downloaded file has an unexpected content type.  +| 0x80240039 | WU_E_TOO_MANY_RESYNC| Agent is asked by server to resync too many times.  +| 0x80240040 | WU_E_NO_SERVER_CORE_SUPPORT| WUA API method does not run on Server Core installation.  +| 0x80240041 | WU_E_SYSPREP_IN_PROGRESS| Service is not available while sysprep is running.  +| 0x80240042 | WU_E_UNKNOWN_SERVICE| The update service is no longer registered with AU.  +| 0x80240043 | WU_E_NO_UI_SUPPORT| There is no support for WUA UI.  +| 0x80240FFF | WU_E_UNEXPECTED| An operation failed due to reasons not covered by another error code.  + +## Windows Update success codes + +|Error code|Message|Description +|-|-|-| +| 0x00240001| WU_S_SERVICE_STOP| Windows Update Agent was stopped successfully.  +| 0x00240002 | WU_S_SELFUPDATE| Windows Update Agent updated itself.  +| 0x00240003 | WU_S_UPDATE_ERROR| Operation completed successfully but there were errors applying the updates.  +| 0x00240004 | WU_S_MARKED_FOR_DISCONNECT| A callback was marked to be disconnected later because the request to disconnect the operation came while a callback was executing.  +| 0x00240005 | WU_S_REBOOT_REQUIRED| The system must be restarted to complete installation of the update.  +| 0x00240006 | WU_S_ALREADY_INSTALLED| The update to be installed is already installed on the system.  +| 0x00240007 | WU_S_ALREADY_UNINSTALLED | The update to be removed is not installed on the system.  +| 0x00240008 | WU_S_ALREADY_DOWNLOADED| The update to be downloaded has already been downloaded.  + +## Windows Installer minor errors +The following errors are used to indicate that part of a search fails because of Windows Installer problems. Another part of the search may successfully return updates. All Windows Installer minor codes must share the same error code range so that the caller can tell that they are related to Windows Installer. + +|Error code|Message|Description +|-|-|-| +| 0x80241001 |WU_E_MSI_WRONG_VERSION| Search may have missed some updates because the Windows Installer is less than version 3.1.  +| 0x80241002 | WU_E_MSI_NOT_CONFIGURED| Search may have missed some updates because the Windows Installer is not configured.  +| 0x80241003 | WU_E_MSP_DISABLED| Search may have missed some updates because policy has disabled Windows Installer patching.  +| 0x80241004 | WU_E_MSI_WRONG_APP_CONTEXT| An update could not be applied because the application is installed per-user.  +| 0x80241FFF | WU_E_MSP_UNEXPECTED| Search may have missed some updates because there was a failure of the Windows Installer.  + +## Windows Update Agent update and setup errors + +|Error code|Message|Description +|-|-|-| +| 0x8024D001 | WU_E_SETUP_INVALID_INFDATA| Windows Update Agent could not be updated because an INF file contains invalid information.  +| 0x8024D002 | WU_E_SETUP_INVALID_IDENTDATA| Windows Update Agent could not be updated because the wuident.cab file contains invalid information.  +| 0x8024D003 | WU_E_SETUP_ALREADY_INITIALIZED| Windows Update Agent could not be updated because of an internal error that caused setup initialization to be performed twice.  +| 0x8024D004 | WU_E_SETUP_NOT_INITIALIZED| Windows Update Agent could not be updated because setup initialization never completed successfully.  +| 0x8024D005 | WU_E_SETUP_SOURCE_VERSION_MISMATCH| Windows Update Agent could not be updated because the versions specified in the INF do not match the actual source file versions.  +| 0x8024D006 | WU_E_SETUP_TARGET_VERSION_GREATER| Windows Update Agent could not be updated because a WUA file on the target system is newer than the corresponding source file.  +| 0x8024D007 | WU_E_SETUP_REGISTRATION_FAILED| Windows Update Agent could not be updated because regsvr32.exe returned an error.  +| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE| An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file.  +| 0x8024D00A | WU_E_SETUP_UNSUPPORTED_CONFIGURATION| Windows Update Agent could not be updated because the current system configuration is not supported.  +| 0x8024D00B | WU_E_SETUP_BLOCKED_CONFIGURATION| Windows Update Agent could not be updated because the system is configured to block the update.  +| 0x8024D00C | WU_E_SETUP_REBOOT_TO_FIX| Windows Update Agent could not be updated because a restart of the system is required.  +| 0x8024D00D | WU_E_SETUP_ALREADYRUNNING| Windows Update Agent setup is already running.  +| 0x8024D00E | WU_E_SETUP_REBOOTREQUIRED| Windows Update Agent setup package requires a reboot to complete installation.  +| 0x8024D00F | WU_E_SETUP_HANDLER_EXEC_FAILURE| Windows Update Agent could not be updated because the setup handler failed during execution.  +| 0x8024D010 | WU_E_SETUP_INVALID_REGISTRY_DATA| Windows Update Agent could not be updated because the registry contains invalid information.  +| 0x8024D013 | WU_E_SETUP_WRONG_SERVER_VERSION| Windows Update Agent could not be updated because the server does not contain update information for this version.  +| 0x8024DFFF | WU_E_SETUP_UNEXPECTED| Windows Update Agent could not be updated because of an error not covered by another WU_E_SETUP_* error code.  diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index 049bedc236..cdb6ea9f85 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -1,40 +1,42 @@ ---- -title: Windows Update common errors and mitigation -description: Learn about some common issues you might experience with Windows Update -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.audience: itpro author: greg-lindsay -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Windows Update common errors and mitigation - ->Applies to: Windows 10 - -The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them. - - -| Error Code | Message | Description | Mitigation | -|------------------------------------------|-----------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0x8024402F | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
The IP addresses of the computers you want to get updates successfully on, should be added to the exceptions list of Lightspeed | -| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

To do this, type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
Ren %systemroot%\system32\catroot2 \*.bak | -| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that we do not have any policies that control the start behavior for the Windows Module Installer. This service should not be hardened to any start value and should be managed by the OS. | -| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there is no Firewalls that filter downloads. The Firewall filtering may lead to invalid responses being received by the Windows Update Client.

If the issue still persists, run the [WU reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). | -| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to Internet. To fix this issue, following these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com


Additionally , you can take a network trace and see what is timing out. \ | -| 0x80072EFD
0x80072EFE 
0x80D02002 | TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | -| 0X8007000D | ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred. | Attempt to re-download the update and initiate installation. | -| 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the WU Service is shutting down. | This may happen due to a very long period of time of inactivity, a system hang leading to the service being idle and leading to the shutdown of the service. Ensure that the system remains active and the connections remain established to complete the upgrade. | -| 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Please login to the system to initiate the installation and allow the system to be rebooted. | -| 0x80242014 | WU_E_UH_POSTREBOOTSTILLPENDING | The post-reboot operation for the update is still in progress. | Some Windows Updates require the system to be restarted. Reboot the system to complete the installation of the Updates. | -| 0x80246017 | WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator). | -| 0x8024000B | WU_E_CALL_CANCELLED | Operation was cancelled. | This indicates that the operation was cancelled by the user/service. You may also encounter this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | -| 0x8024000E | WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | -| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | -| 0x80244007 | WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | - +--- +title: Windows Update common errors and mitigation +description: Learn about some common issues you might experience with Windows Update +ms.prod: w10 +ms.mktglfcycl: +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationprioauthor: jaimeo +ms.audience: itpro +author: jaimeo +ms.date: 09/18/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Windows Update common errors and mitigation + +>Applies to: Windows 10 + +The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them. + + +| Error Code | Message | Description | Mitigation | +|------------------------------------------|-----------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0x8024402F | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
The IP addresses of the computers you want to get updates successfully on, should be added to the exceptions list of Lightspeed | +| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

To do this, type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
Ren %systemroot%\system32\catroot2 \*.bak | +| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that we do not have any policies that control the start behavior for the Windows Module Installer. This service should not be hardened to any start value and should be managed by the OS. | +| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there is no Firewalls that filter downloads. The Firewall filtering may lead to invalid responses being received by the Windows Update Client.

If the issue still persists, run the [WU reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). | +| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to Internet. To fix this issue, following these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com


Additionally , you can take a network trace and see what is timing out. \ | +| 0x80072EFD
0x80072EFE 
0x80D02002 | TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | +| 0X8007000D | ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred. | Attempt to re-download the update and initiate installation. | +| 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the WU Service is shutting down. | This may happen due to a very long period of time of inactivity, a system hang leading to the service being idle and leading to the shutdown of the service. Ensure that the system remains active and the connections remain established to complete the upgrade. | +| 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Please login to the system to initiate the installation and allow the system to be rebooted. | +| 0x80242014 | WU_E_UH_POSTREBOOTSTILLPENDING | The post-reboot operation for the update is still in progress. | Some Windows Updates require the system to be restarted. Reboot the system to complete the installation of the Updates. | +| 0x80246017 | WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator). | +| 0x8024000B | WU_E_CALL_CANCELLED | Operation was cancelled. | This indicates that the operation was cancelled by the user/service. You may also encounter this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | +| 0x8024000E | WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | +| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | +| 0x80244007 | WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | + diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md index 7eec34d793..1e9deff347 100644 --- a/windows/deployment/update/windows-update-logs.md +++ b/windows/deployment/update/windows-update-logs.md @@ -1,147 +1,149 @@ ---- -title: Windows Update log files -description: Learn about the Windows Update log files -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.audience: itpro author: greg-lindsay -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Windows Update log files - ->Applies to: Windows 10 - -The following table describes the log files created by Windows Update. - - -|Log file|Location|Description|When to Use | -|-|-|-|-| -|windowsupdate.log|C:\Windows\Logs\WindowsUpdate|Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.|If you receive an error message when you run Windows Update (WU), you can use the information that is included in the Windowsupdate.log log file to troubleshoot the issue.| -|UpdateSessionOrchestration.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the Update Orchestrator is responsible for sequence of downloading and installing various update types from Windows Update. And the events are logged to these etl files.|When you see that the updates are available but download is not getting triggered.
When Updates are downloaded but installation is not triggered.
When Updates are installed but reboot is not triggered. | -|NotificationUxBroker.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the notification toast or the banner is triggered by this NotificationUxBroker.exe . And the logs to check its working is this etl. |When you want to check whether the Notification was triggered or not for reboot or update availability etc. | -|CBS.log|%systemroot%\Logs\CBS|This logs provides insight on the update installation part in the servicing stack.|To troubleshoot the issues related to WU installation.| - -## Generating WindowsUpdate.log -To merge and convert WU trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](https://docs.microsoft.com/powershell/module/windowsupdate/get-windowsupdatelog?view=win10-ps). - ->[!NOTE] ->When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpate.log unless you run **Get-WindowsUpdateLog** again. - -### Windows Update log components -The WU engine has different component names. The following are some of the most common components that appear in the WindowsUpdate.log file: - -- AGENT- Windows Update agent -- AU - Automatic Updates is performing this task -- AUCLNT- Interaction between AU and the logged-on user -- CDM- Device Manager -- CMPRESS- Compression agent -- COMAPI- Windows Update API -- DRIVER- Device driver information -- DTASTOR- Handles database transactions -- EEHNDLER- Expression handler that's used to evaluate update applicability -- HANDLER- Manages the update installers -- MISC- General service information -- OFFLSNC- Detects available updates without network connection -- PARSER- Parses expression information -- PT- Synchronizes updates information to the local datastore -- REPORT- Collects reporting information -- SERVICE- Startup/shutdown of the Automatic Updates service -- SETUP- Installs new versions of the Windows Update client when it is available -- SHUTDWN- Install at shutdown feature -- WUREDIR- The Windows Update redirector files -- WUWEB- The Windows Update ActiveX control -- ProtocolTalker - Client-server sync -- DownloadManager - Creates and monitors payload downloads -- Handler, Setup - Installer handlers (CBS, and so on) -- EEHandler - Evaluating update applicability rules -- DataStore - Caching update data locally -- IdleTimer - Tracking active calls, stopping a service - ->[!NOTE] ->Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on what’s important. - -### Windows Update log structure -The Windows update log structure is separated into four main identities: - -- Time Stamps -- Process ID and Thread ID -- Component Name -- Update Identifiers - - Update ID and Revision Number - - Revision ID - - Local ID - - Inconsistent terminology - -The WindowsUpdate.log structure is discussed in the following sections. - -#### Time stamps -The time stamp indicates the time at which the logging occurs. -- Messages are usually in chronological order, but there may be exceptions. -- A pause during a sync can indicate a network problem, even if the scan succeeds. -- A long pause near the end of a scan can indicate a supersedence chain issue. - ![Windows Update time stamps](images/update-time-log.png) - - -#### Process ID and thread ID -The Process IDs and Thread IDs are random, and they can vary from log to log and even from service session to service session within the same log. -- The first four hex digits are the process ID. -- The next four hex digits are the thread ID. -- Each component, such as the USO, WU engine, COM API callers, and WU installer handlers, has its own process ID. - ![Windows Update process and thread IDs](images/update-process-id.png) - - -#### Component name -Search for and identify the components that are associated with the IDs. Different parts of the WU engine have different component names. Some of them are as follows: - -- ProtocolTalker - Client-server sync -- DownloadManager - Creates and monitors payload downloads -- Handler, Setup - Installer handlers (CBS, etc.) -- EEHandler - Evaluating update applicability rules -- DataStore - Caching update data locally -- IdleTimer - Tracking active calls, stopping service - -![Windows Update component name](images/update-component-name.png) - - -#### Update identifiers - -##### Update ID and revision number -There are different identifiers for the same update in different contexts. It’s important to know the identifier schemes. -- Update ID: A GUID (indicated in the previous screen shot) that's assigned to a given update at publication time -- Revision number: A number incremented every time that a given update (that has a given update ID) is modified and republished on a service -- Revision numbers are reused from one update to another (not a unique identifier). -- The update ID and revision number are often shown together as "{GUID}.revision." - ![Windows Update update identifiers](images/update-update-id.png) - - -##### Revision ID -- A Revision ID (do no confuse this with “revision number”) is a serial number that's issued when an update is initially published or revised on a given service. -- An existing update that’s revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a completely new revision ID that is not related to the previous ID. -- Revision IDs are unique on a given update source, but not across multiple sources. -- The same update revision may have completely different revision IDs on WU and WSUS. -- The same revision ID may represent different updates on WU and WSUS. - -##### Local ID -- Local ID is a serial number issued when an update is received from a service by a given WU client -- Usually seen in debug logs, especially involving the local cache for update info (Datastore) -- Different client PCs will assign different Local IDs to the same update -- You can find the local IDs that a client is using by getting the client’s %WINDIR%\SoftwareDistribution\Datastore\Datastore.edb file - -##### Inconsistent terminology -- Sometimes the logs use terms inconsistently. For example, the InstalledNonLeafUpdateIDs list actually contains revision IDs, not update IDs. -- Recognize IDs by form and context: - - - GUIDs are update IDs - - Small integers that appear alongside an update ID are revision numbers - - Large integers are typically revision IDs - - Small integers (especially in Datastore) can be local IDs - ![Windows Update inconsisten terminology](images/update-inconsistent.png) - -## Windows Setup log files analysis using SetupDiag tool -SetupDiag is a diagnostic tool that can be used for analysis of logs related to installation of Windows Updates. For detailed information, see [SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag). +--- +title: Windows Update log files +description: Learn about the Windows Update log files +ms.prod: w10 +ms.mktglfcycl: +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationprioauthor: jaimeo +ms.audience: itpro +author: jaimeo +ms.date: 09/18/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Windows Update log files + +>Applies to: Windows 10 + +The following table describes the log files created by Windows Update. + + +|Log file|Location|Description|When to Use | +|-|-|-|-| +|windowsupdate.log|C:\Windows\Logs\WindowsUpdate|Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.|If you receive an error message when you run Windows Update (WU), you can use the information that is included in the Windowsupdate.log log file to troubleshoot the issue.| +|UpdateSessionOrchestration.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the Update Orchestrator is responsible for sequence of downloading and installing various update types from Windows Update. And the events are logged to these etl files.|When you see that the updates are available but download is not getting triggered.
When Updates are downloaded but installation is not triggered.
When Updates are installed but reboot is not triggered. | +|NotificationUxBroker.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the notification toast or the banner is triggered by this NotificationUxBroker.exe . And the logs to check its working is this etl. |When you want to check whether the Notification was triggered or not for reboot or update availability etc. | +|CBS.log|%systemroot%\Logs\CBS|This logs provides insight on the update installation part in the servicing stack.|To troubleshoot the issues related to WU installation.| + +## Generating WindowsUpdate.log +To merge and convert WU trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](https://docs.microsoft.com/powershell/module/windowsupdate/get-windowsupdatelog?view=win10-ps). + +>[!NOTE] +>When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpate.log unless you run **Get-WindowsUpdateLog** again. + +### Windows Update log components +The WU engine has different component names. The following are some of the most common components that appear in the WindowsUpdate.log file: + +- AGENT- Windows Update agent +- AU - Automatic Updates is performing this task +- AUCLNT- Interaction between AU and the logged-on user +- CDM- Device Manager +- CMPRESS- Compression agent +- COMAPI- Windows Update API +- DRIVER- Device driver information +- DTASTOR- Handles database transactions +- EEHNDLER- Expression handler that's used to evaluate update applicability +- HANDLER- Manages the update installers +- MISC- General service information +- OFFLSNC- Detects available updates without network connection +- PARSER- Parses expression information +- PT- Synchronizes updates information to the local datastore +- REPORT- Collects reporting information +- SERVICE- Startup/shutdown of the Automatic Updates service +- SETUP- Installs new versions of the Windows Update client when it is available +- SHUTDWN- Install at shutdown feature +- WUREDIR- The Windows Update redirector files +- WUWEB- The Windows Update ActiveX control +- ProtocolTalker - Client-server sync +- DownloadManager - Creates and monitors payload downloads +- Handler, Setup - Installer handlers (CBS, and so on) +- EEHandler - Evaluating update applicability rules +- DataStore - Caching update data locally +- IdleTimer - Tracking active calls, stopping a service + +>[!NOTE] +>Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on what’s important. + +### Windows Update log structure +The Windows update log structure is separated into four main identities: + +- Time Stamps +- Process ID and Thread ID +- Component Name +- Update Identifiers + - Update ID and Revision Number + - Revision ID + - Local ID + - Inconsistent terminology + +The WindowsUpdate.log structure is discussed in the following sections. + +#### Time stamps +The time stamp indicates the time at which the logging occurs. +- Messages are usually in chronological order, but there may be exceptions. +- A pause during a sync can indicate a network problem, even if the scan succeeds. +- A long pause near the end of a scan can indicate a supersedence chain issue. + ![Windows Update time stamps](images/update-time-log.png) + + +#### Process ID and thread ID +The Process IDs and Thread IDs are random, and they can vary from log to log and even from service session to service session within the same log. +- The first four hex digits are the process ID. +- The next four hex digits are the thread ID. +- Each component, such as the USO, WU engine, COM API callers, and WU installer handlers, has its own process ID. + ![Windows Update process and thread IDs](images/update-process-id.png) + + +#### Component name +Search for and identify the components that are associated with the IDs. Different parts of the WU engine have different component names. Some of them are as follows: + +- ProtocolTalker - Client-server sync +- DownloadManager - Creates and monitors payload downloads +- Handler, Setup - Installer handlers (CBS, etc.) +- EEHandler - Evaluating update applicability rules +- DataStore - Caching update data locally +- IdleTimer - Tracking active calls, stopping service + +![Windows Update component name](images/update-component-name.png) + + +#### Update identifiers + +##### Update ID and revision number +There are different identifiers for the same update in different contexts. It’s important to know the identifier schemes. +- Update ID: A GUID (indicated in the previous screen shot) that's assigned to a given update at publication time +- Revision number: A number incremented every time that a given update (that has a given update ID) is modified and republished on a service +- Revision numbers are reused from one update to another (not a unique identifier). +- The update ID and revision number are often shown together as "{GUID}.revision." + ![Windows Update update identifiers](images/update-update-id.png) + + +##### Revision ID +- A Revision ID (do no confuse this with “revision number”) is a serial number that's issued when an update is initially published or revised on a given service. +- An existing update that’s revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a completely new revision ID that is not related to the previous ID. +- Revision IDs are unique on a given update source, but not across multiple sources. +- The same update revision may have completely different revision IDs on WU and WSUS. +- The same revision ID may represent different updates on WU and WSUS. + +##### Local ID +- Local ID is a serial number issued when an update is received from a service by a given WU client +- Usually seen in debug logs, especially involving the local cache for update info (Datastore) +- Different client PCs will assign different Local IDs to the same update +- You can find the local IDs that a client is using by getting the client’s %WINDIR%\SoftwareDistribution\Datastore\Datastore.edb file + +##### Inconsistent terminology +- Sometimes the logs use terms inconsistently. For example, the InstalledNonLeafUpdateIDs list actually contains revision IDs, not update IDs. +- Recognize IDs by form and context: + + - GUIDs are update IDs + - Small integers that appear alongside an update ID are revision numbers + - Large integers are typically revision IDs + - Small integers (especially in Datastore) can be local IDs + ![Windows Update inconsisten terminology](images/update-inconsistent.png) + +## Windows Setup log files analysis using SetupDiag tool +SetupDiag is a diagnostic tool that can be used for analysis of logs related to installation of Windows Updates. For detailed information, see [SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag). diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md index 3eda438f80..2590530152 100644 --- a/windows/deployment/update/windows-update-overview.md +++ b/windows/deployment/update/windows-update-overview.md @@ -1,57 +1,59 @@ ---- -title: Get started with Windows Update -description: Learn how Windows Update works, including architecture and troubleshooting -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.audience: itpro author: greg-lindsay -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Get started with Windows Update - ->Applies to: Windows 10 - -With the release of Windows 10, we moved the update model to the Unified Update Platform. Unified Update Platform (UUP) is a single publishing, hosting, scan and download model for all types of OS updates, desktop and mobile for all Windows-based operating systems, for everything from monthly quality updates to new feature updates. - -Ues the following information to get started with Windows Update: - -- Understand the UUP architecture -- Understand [how Windows Update works](how-windows-update-works.md) -- Find [Windows Update log files](windows-update-logs.md) -- Learn how to [troubleshoot Windows Update](windows-update-troubleshooting.md) -- Review [common Windows Update errors](windows-update-errors.md) and check out the [error code reference](windows-update-error-reference.md) -- Review [other resources](windows-update-resources.md) to help you use Windows Update - -## Unified Update Platform (UUP) architecture -To understand the changes to the Windows Update architecture that UUP introduces let's start with some new key terms. - -![Windows Update terminology](images/update-terminology.png) - -- **Update UI** – The user interface to initiate Windows Update check and history. Available under **Settings --> Update & Security --> Windows Update**. -- **Update Session Orchestrator (USO)**- A Windows OS component that orchestrates the sequence of downloading and installing various update types from Windows Update. - - Update types- - - OS Feature updates - - OS Security updates - - Device drivers - - Defender definition updates - - >[!NOTE] - > Other types of updates, like Office desktop updates, are installed if the user opts into Microsoft Update. - > - >Store apps aren't installed by USO, today they are separate. - -- **WU Client/ UpdateAgent** - The component running on your PC. It's essentially a DLL that is downloaded to the device when an update is applicable. It surfaces the APIs needed to perform an update, including those needed to generate a list of payloads to download, as well as starts stage and commit operations. It provides a unified interface that abstracts away the underlying update technologies from the caller. -- **WU Arbiter handle**- Code that is included in the UpdateAgent binary. The arbiter gathers information about the device, and uses the CompDB(s) to output an action list. It is responsible for determining the final "composition state" of your device, and which payloads (like ESDs or packages) are needed to get your device up to date. -- **Deployment Arbiter**- A deployment manager that calls different installers. For example, CBS. - -Additional components include the following- - -- **CompDB** – A generic term to refer to the XML describing information about target build composition, available diff packages, and conditional rules. -- **Action List** – The payload and additional information needed to perform an update. The action list is consumed by the UpdateAgent, as well as other installers to determine what payload to download. It's also consumed by the "Install Agent" to determine what actions need to be taken, such as installing or removing packages. +--- +title: Get started with Windows Update +description: Learn how Windows Update works, including architecture and troubleshooting +ms.prod: w10 +ms.mktglfcycl: +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationprioauthor: jaimeo +ms.audience: itpro +author: jaimeo +ms.date: 09/18/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Get started with Windows Update + +>Applies to: Windows 10 + +With the release of Windows 10, we moved the update model to the Unified Update Platform. Unified Update Platform (UUP) is a single publishing, hosting, scan and download model for all types of OS updates, desktop and mobile for all Windows-based operating systems, for everything from monthly quality updates to new feature updates. + +Ues the following information to get started with Windows Update: + +- Understand the UUP architecture +- Understand [how Windows Update works](how-windows-update-works.md) +- Find [Windows Update log files](windows-update-logs.md) +- Learn how to [troubleshoot Windows Update](windows-update-troubleshooting.md) +- Review [common Windows Update errors](windows-update-errors.md) and check out the [error code reference](windows-update-error-reference.md) +- Review [other resources](windows-update-resources.md) to help you use Windows Update + +## Unified Update Platform (UUP) architecture +To understand the changes to the Windows Update architecture that UUP introduces let's start with some new key terms. + +![Windows Update terminology](images/update-terminology.png) + +- **Update UI** – The user interface to initiate Windows Update check and history. Available under **Settings --> Update & Security --> Windows Update**. +- **Update Session Orchestrator (USO)**- A Windows OS component that orchestrates the sequence of downloading and installing various update types from Windows Update. + + Update types- + - OS Feature updates + - OS Security updates + - Device drivers + - Defender definition updates + + >[!NOTE] + > Other types of updates, like Office desktop updates, are installed if the user opts into Microsoft Update. + > + >Store apps aren't installed by USO, today they are separate. + +- **WU Client/ UpdateAgent** - The component running on your PC. It's essentially a DLL that is downloaded to the device when an update is applicable. It surfaces the APIs needed to perform an update, including those needed to generate a list of payloads to download, as well as starts stage and commit operations. It provides a unified interface that abstracts away the underlying update technologies from the caller. +- **WU Arbiter handle**- Code that is included in the UpdateAgent binary. The arbiter gathers information about the device, and uses the CompDB(s) to output an action list. It is responsible for determining the final "composition state" of your device, and which payloads (like ESDs or packages) are needed to get your device up to date. +- **Deployment Arbiter**- A deployment manager that calls different installers. For example, CBS. + +Additional components include the following- + +- **CompDB** – A generic term to refer to the XML describing information about target build composition, available diff packages, and conditional rules. +- **Action List** – The payload and additional information needed to perform an update. The action list is consumed by the UpdateAgent, as well as other installers to determine what payload to download. It's also consumed by the "Install Agent" to determine what actions need to be taken, such as installing or removing packages. diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md index ead5fd7aaf..16e2488d65 100644 --- a/windows/deployment/update/windows-update-resources.md +++ b/windows/deployment/update/windows-update-resources.md @@ -3,12 +3,12 @@ title: Windows Update - Additional resources description: Additional resources for Windows Update ms.prod: w10 ms.mktglfcycl: -ms.sitesec: library + audience: itpro -author: greg-lindsay +author: jaimeo ms.localizationpriority: medium ms.audience: itpro -author: greg-lindsay +author: jaimeo ms.date: 09/18/2018 ms.reviewer: manager: laurawi diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md index ac0087fb59..98c67ca840 100644 --- a/windows/deployment/update/windows-update-troubleshooting.md +++ b/windows/deployment/update/windows-update-troubleshooting.md @@ -1,217 +1,219 @@ ---- -title: Windows Update troubleshooting -description: Learn how to troubleshoot Windows Update -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.audience: itpro author: greg-lindsay -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Windows Update troubleshooting - ->Applies to: Windows 10 - -If you run into problems when using Windows Update, start with the following steps: - -1. Run the built-in Windows Update troubleshooter to fix common issues. Navigate to **Settings > Update & Security > Troubleshoot > Windows Update**. -2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on SSU. -3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system: - - - [Windows 10, version 1809 and Windows Server 2019](https://support.microsoft.com/help/4464619/windows-10-update-history) - - [Windows 10, version 1803](https://support.microsoft.com/help/4099479/windows-10-update-history) - - [Windows 10, version 1709](https://support.microsoft.com/help/4043454) - - [Windows 10, version 1703](https://support.microsoft.com/help/4018124) - - [Windows 10 and Windows Server 2016](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) - - [Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/4009470/windows-8-1-windows-server-2012-r2-update-history) - - [Windows Server 2012](https://support.microsoft.com/help/4009471/windows-server-2012-update-history) - - [Windows 7 SP1 and Windows Server 2008 R2 SP1](https://support.microsoft.com/help/4009469/windows-7-sp1-windows-server-2008-r2-sp1-update-history) - -Advanced users can also refer to the [log](windows-update-logs.md) generated by Windows Update for further investigation. - -You might encounter the following scenarios when using Windows Update. - -## Why am I offered an older update/upgrade? -The update that is offered to a device depends on several factors. Some of the most common attributes include the following: - -- OS Build -- OS Branch -- OS Locale -- OS Architecture -- Device update management configuration - -If the update you're offered isn't the most current available, it might be because your device is being managed by a WSUS server, and you're being offered the updates available on that server. It's also possible, if your device is part of a Windows as a Service deployment ring, that your admin is intentionally slowing the rollout of updates. Since the WaaS rollout is slow and measured to begin with, all devices will not receive the update on the same day. - -## My machine is frozen at scan. Why? -The Settings UI is talking to the Update Orchestrator service which in turn is talking to Windows Update service. If these services stop unexpectedly then you might see this behavior. In such cases, do the following: -1. Close the Settings app and reopen it. -2. Launch Services.msc and check if the following services are running: - - Update State Orchestrator - - Windows Update - -## Feature updates are not being offered while other updates are -On computers running [Windows 10 1709 or higher](#BKMK_DCAT) configured to update from Windows Update (usually WUfB scenario) servicing and definition updates are being installed successfully, but feature updates are never offered. - -Checking the WindowsUpdate.log reveals the following error: -``` -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent * START * Finding updates CallerId = Update;taskhostw Id = 25 -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Online = Yes; Interactive = No; AllowCachedResults = No; Ignore download priority = No -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent ServiceID = {855E8A7C-ECB4-4CA3-B045-1DFA50104289} Third party service -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Search Scope = {Current User} -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Caller SID for Applicability: S-1-12-1-2933642503-1247987907-1399130510-4207851353 -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc Got 855E8A7C-ECB4-4CA3-B045-1DFA50104289 redir Client/Server URL: https://fe3.delivery.mp.microsoft.com/ClientWebService/client.asmx"" -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc Token Requested with 0 category IDs. -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc GetUserTickets: No user tickets found. Returning WU_E_NO_USERTOKEN. -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::GetDeviceTickets:570] -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::GetDeviceTickets:570] -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetDeviceTickets -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::AddTickets:1092] -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [CUpdateEndpointProvider::GenerateSecurityTokenWithAuthTickets:1587] -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetAgentTokenFromServer -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetAgentToken -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] EP:Call to GetEndpointToken -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Failed to obtain service 855E8A7C-ECB4-4CA3-B045-1DFA50104289 plugin Client/Server auth token of type 0x00000001 -YYYY/MM/DD HH:mm:ss:SSS PID TID ProtocolTalker *FAILED* [80070426] Method failed [CAgentProtocolTalkerContext::DetermineServiceEndpoint:377] -YYYY/MM/DD HH:mm:ss:SSS PID TID ProtocolTalker *FAILED* [80070426] Initialization failed for Protocol Talker Context -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Exit code = 0x80070426 -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent * END * Finding updates CallerId = Update;taskhostw Id = 25 -``` - -The 0x80070426 error code translates to: -``` -ERROR_SERVICE_NOT_ACTIVE - # The service has not been started. -``` - -Microsoft Account Sign In Assistant (MSA or wlidsvc) is the service in question. The DCAT Flighting service (ServiceId: 855E8A7C-ECB4-4CA3-B045-1DFA50104289) relies on the Microsoft Account Sign In Assistant (MSA) to get the Global Device ID for the device. Without the MSA service running, the global device ID will not be generated and sent by the client and the search for feature updates never completes successfully. - -In order to solve this issue, we need to reset the MSA service to the default StartType of manual. - -## Issues related to HTTP/Proxy -Windows Update uses WinHttp with Partial Range requests (RFC 7233) to download updates and applications from Windows Update servers or on-premises WSUS servers. Because of this proxy servers configured on the network must support HTTP RANGE requests. If a proxy was configured in Internet Explorer (User level) but not in WinHTTP (System level), connections to Windows Update will fail. - -To fix this issue, configure a proxy in WinHTTP by using the following netsh command: - -``` -netsh winhttp set proxy ProxyServerName:PortNumber -``` - ->[!NOTE] -> You can also import the proxy settings from Internet Explorer by using the following command: netsh winhttp import proxy source=ie - -If downloads through a proxy server fail with a 0x80d05001 DO_E_HTTP_BLOCKSIZE_MISMATCH error, or if you notice high CPU usage while updates are downloading, check the proxy configuration to permit HTTP RANGE requests to run. - -You may choose to apply a rule to permit HTTP RANGE requests for the following URLs: - -*.download.windowsupdate.com -*.dl.delivery.mp.microsoft.com -*.emdl.ws.microsoft.com - -If you cannot permit RANGE requests, keep in mind that this means you are downloading more content than needed in updates (as delta patching will not work). - - -## The update is not applicable to your computer -The most common reasons for this error are described in the following table: - -|Cause|Explanation|Resolution| -|-----|-----------|----------| -|Update is superseded|As updates for a component are released, the updated component will supersede an older component that is already on the system. When this occurs, the previous update is marked as superseded. If the update that you're trying to install already has a newer version of the payload on your system, you may encounter this error message.|Check that the package that you are installing contains newer versions of the binaries. Or, check that the package is superseded by another new package. | -|Update is already installed|If the update that you're trying to install was previously installed, for example, by another update that carried the same payload, you may encounter this error message.|Verify that the package that you are trying to install was not previously installed.| -|Wrong update for architecture|Updates are published by CPU architecture. If the update that you're trying to install does not match the architecture for your CPU, you may encounter this error message. |Verify that the package that you're trying to install matches the Windows version that you are using. The Windows version information can be found in the "Applies To" section of the article for each update. For example, Windows Server 2012-only updates cannot be installed on Windows Server 2012 R2-based computers.
Also, verify that the package that you are installing matches the processor architecture of the Windows version that you are using. For example, an x86-based update cannot be installed on x64-based installations of Windows. | -|Missing prerequisite update|Some updates require a prerequisite update before they can be applied to a system. If you are missing a prerequisite update, you may encounter this error message. For example, KB 2919355 must be installed on Windows 8.1 and Windows Server 2012 R2 computers before many of the updates that were released after April 2014 can be installed.|Check the related articles about the package in the Microsoft Knowledge Base (KB) to make sure that you have the prerequisite updates installed. For example, if you encounter the error message on Windows 8.1 or Windows Server 2012 R2, you may have to install the April 2014 update 2919355 as a prerequisite and one or more pre-requisite servicing updates (KB 2919442 and KB 3173424).
Note: To determine if these prerequisite updates are installed, run the following PowerShell command:
get-hotfix KB3173424,KB2919355,KB2919442
If the updates are installed, the command will return the installed date in the "InstalledOn" section of the output. - -## Issues related to firewall configuration -Error that may be seen in the WU logs: -``` -DownloadManager Error 0x800706d9 occurred while downloading update; notifying dependent calls. -``` -Or -``` -[DownloadManager] BITS job {A4AC06DD-D6E6-4420-8720-7407734FDAF2} hit a transient error, updateId = {D053C08A-6250-4C43-A111-56C5198FE142}.200 , error = 0x800706D9 -``` -Or -``` -DownloadManager [0]12F4.1FE8::09/29/2017-13:45:08.530 [agent]DO job {C6E2F6DC-5B78-4608-B6F1-0678C23614BD} hit a transient error, updateId = 5537BD35-BB74-40B2-A8C3-B696D3C97CBA.201 , error = 0x80D0000A -``` - -Go to Services.msc and ensure that Windows Firewall Service is enabled. Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft. For more information, see [I need to disable Windows Firewall](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766337(v=ws.10)). - -## Issues arising from configuration of conflicting policies -Windows Update provides a wide range configuration policies to control the behavior of WU service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting polices may lead to unexpected behaviors. - -See [How to configure automatic updates by using Group Policy or registry settings](https://support.microsoft.com/help/328010/how-to-configure-automatic-updates-by-using-group-policy-or-registry-s) for more information. - - -## Updates aren't downloading from the intranet endpoint (WSUS/SCCM) -Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps: -1. Start Windows PowerShell as an administrator -2. Run \$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager". -3. Run \$MUSM.Services. - -Check the output for the Name and OffersWindowsUPdates parameters, which you can interpret according to this table. - -|Output|Interpretation| -|-|-| -|- Name: Microsoft Update
-OffersWindowsUpdates: True| - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered.
- Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.) | -|- Name: DCat Flighting Prod
- OffersWindowsUpdates: True |- Starting with Windows 10 1709, feature updates are always delivered through the DCAT service.
- Indicates that the client is configured to receive feature updates from Windows Update. | -|- Name: Windows Store (DCat Prod)
- OffersWindowsUpdates: False |-The update source is Insider Updates for Store Apps.
- Indicates that the client will not receive or is not configured to receive these updates.| -|- Name: Windows Server Update Service
- OffersWindowsUpdates: True |- The source is a Windows Server Updates Services server.
- The client is configured to receive updates from WSUS. | -|- Name: Windows Update
- OffersWindowsUpdates: True|- The source is Windows Update.
- The client is configured to receive updates from Windows Update Online.| - -## You have a bad setup in the environment -If we look at the GPO being set through registry, the system is configured to use WSUS to download updates: - -``` -HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] -"UseWUServer"=dword:00000001 ===================================> it says use WSUS server. -``` - -From the WU logs: -``` -2018-08-06 09:33:31:085 480 1118 Agent ** START ** Agent: Finding updates [CallerId = OperationalInsight Id = 49] -2018-08-06 09:33:31:085 480 1118 Agent ********* -2018-08-06 09:33:31:085 480 1118 Agent * Include potentially superseded updates -2018-08-06 09:33:31:085 480 1118 Agent * Online = No; Ignore download priority = No -2018-08-06 09:33:31:085 480 1118 Agent * Criteria = "IsHidden = 0 AND DeploymentAction=*" -2018-08-06 09:33:31:085 480 1118 Agent * ServiceID = {00000000-0000-0000-0000-000000000000} Third party service -2018-08-06 09:33:31:085 480 1118 Agent * Search Scope = {Machine} -2018-08-06 09:33:32:554 480 1118 Agent * Found 83 updates and 83 categories in search; evaluated appl. rules of 517 out of 1473 deployed entities -2018-08-06 09:33:32:554 480 1118 Agent ********* -2018-08-06 09:33:32:554 480 1118 Agent ** END ** Agent: Finding updates [CallerId = OperationalInsight Id = 49] -``` - -In the above log snippet, we see that the Criteria = "IsHidden = 0 AND DeploymentAction=*". "*" means there is nothing specified from the server. So, the scan happens but there is no direction to download or install to the agent. So it just scans the update and provides the results. - -Now if you look at the below logs, the Automatic update runs the scan and finds no update approved for it. So it reports there are 0 updates to install or download. This is due to bad setup or configuration in the environment. The WSUS side should approve the patches for WU so that it fetches the updates and installs it on the specified time according to the policy. Since this scenario doesn't include SCCM, there's no way to install unapproved updates. And that is the problem you are facing. You expect that the scan should be done by the operational insight agent and automatically trigger download and install but that won’t happen here. - -``` -2018-08-06 10:58:45:992 480 5d8 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57] -2018-08-06 10:58:45:992 480 5d8 Agent ********* -2018-08-06 10:58:45:992 480 5d8 Agent * Online = Yes; Ignore download priority = No -2018-08-06 10:58:45:992 480 5d8 Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1" - -2018-08-06 10:58:46:617 480 5d8 PT + SyncUpdates round trips: 2 -2018-08-06 10:58:47:383 480 5d8 Agent * Found 0 updates and 83 categories in search; evaluated appl. rules of 617 out of 1473 deployed entities -2018-08-06 10:58:47:383 480 5d8 Agent Reporting status event with 0 installable, 83 installed, 0 installed pending, 0 failed and 0 downloaded updates -2018-08-06 10:58:47:383 480 5d8 Agent ********* -2018-08-06 10:58:47:383 480 5d8 Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57] -``` - -## High bandwidth usage on Windows 10 by Windows Update -Users may see that Windows 10 is consuming all the bandwidth in the different offices under the system context. This behavior is by design. Components that may consume bandwidth expand beyond Windows Update components. - -The following group policies can help mitigate this: - -- Blocking access to Windows Update servers: [Policy Turn off access to all Windows Update features](http://gpsearch.azurewebsites.net/#4728) (Set to enabled) -- Driver search: [Policy Specify search order for device driver source locations](http://gpsearch.azurewebsites.net/#183) (Set to "Do not search Windows Update") -- Windows Store automatic update: [Policy Turn off Automatic Download and Install of updates](http://gpsearch.azurewebsites.net/#10876) (Set to enabled) - -Other components that reach out to the internet: - -- Windows Spotlight: [Policy Configure Windows spotlight on lock screen](http://gpsearch.azurewebsites.net/#13362) (Set to disabled) -- Consumer experiences: [Policy Turn off Microsoft consumer experiences](http://gpsearch.azurewebsites.net/#13329) (Set to enabled) -- Background traffic from Windows apps: [Policy Let Windows apps run in the background](http://gpsearch.azurewebsites.net/#13571) +--- +title: Windows Update troubleshooting +description: Learn how to troubleshoot Windows Update +ms.prod: w10 +ms.mktglfcycl: +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationprioauthor: jaimeo +ms.audience: itpro +author: jaimeo +ms.date: 09/18/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Windows Update troubleshooting + +>Applies to: Windows 10 + +If you run into problems when using Windows Update, start with the following steps: + +1. Run the built-in Windows Update troubleshooter to fix common issues. Navigate to **Settings > Update & Security > Troubleshoot > Windows Update**. +2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on SSU. +3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system: + + - [Windows 10, version 1809 and Windows Server 2019](https://support.microsoft.com/help/4464619/windows-10-update-history) + - [Windows 10, version 1803](https://support.microsoft.com/help/4099479/windows-10-update-history) + - [Windows 10, version 1709](https://support.microsoft.com/help/4043454) + - [Windows 10, version 1703](https://support.microsoft.com/help/4018124) + - [Windows 10 and Windows Server 2016](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) + - [Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/4009470/windows-8-1-windows-server-2012-r2-update-history) + - [Windows Server 2012](https://support.microsoft.com/help/4009471/windows-server-2012-update-history) + - [Windows 7 SP1 and Windows Server 2008 R2 SP1](https://support.microsoft.com/help/4009469/windows-7-sp1-windows-server-2008-r2-sp1-update-history) + +Advanced users can also refer to the [log](windows-update-logs.md) generated by Windows Update for further investigation. + +You might encounter the following scenarios when using Windows Update. + +## Why am I offered an older update/upgrade? +The update that is offered to a device depends on several factors. Some of the most common attributes include the following: + +- OS Build +- OS Branch +- OS Locale +- OS Architecture +- Device update management configuration + +If the update you're offered isn't the most current available, it might be because your device is being managed by a WSUS server, and you're being offered the updates available on that server. It's also possible, if your device is part of a Windows as a Service deployment ring, that your admin is intentionally slowing the rollout of updates. Since the WaaS rollout is slow and measured to begin with, all devices will not receive the update on the same day. + +## My machine is frozen at scan. Why? +The Settings UI is talking to the Update Orchestrator service which in turn is talking to Windows Update service. If these services stop unexpectedly then you might see this behavior. In such cases, do the following: +1. Close the Settings app and reopen it. +2. Launch Services.msc and check if the following services are running: + - Update State Orchestrator + - Windows Update + +## Feature updates are not being offered while other updates are +On computers running [Windows 10 1709 or higher](#BKMK_DCAT) configured to update from Windows Update (usually WUfB scenario) servicing and definition updates are being installed successfully, but feature updates are never offered. + +Checking the WindowsUpdate.log reveals the following error: +``` +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent * START * Finding updates CallerId = Update;taskhostw Id = 25 +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Online = Yes; Interactive = No; AllowCachedResults = No; Ignore download priority = No +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent ServiceID = {855E8A7C-ECB4-4CA3-B045-1DFA50104289} Third party service +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Search Scope = {Current User} +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Caller SID for Applicability: S-1-12-1-2933642503-1247987907-1399130510-4207851353 +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc Got 855E8A7C-ECB4-4CA3-B045-1DFA50104289 redir Client/Server URL: https://fe3.delivery.mp.microsoft.com/ClientWebService/client.asmx"" +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc Token Requested with 0 category IDs. +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc GetUserTickets: No user tickets found. Returning WU_E_NO_USERTOKEN. +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::GetDeviceTickets:570] +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::GetDeviceTickets:570] +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetDeviceTickets +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::AddTickets:1092] +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [CUpdateEndpointProvider::GenerateSecurityTokenWithAuthTickets:1587] +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetAgentTokenFromServer +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetAgentToken +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] EP:Call to GetEndpointToken +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Failed to obtain service 855E8A7C-ECB4-4CA3-B045-1DFA50104289 plugin Client/Server auth token of type 0x00000001 +YYYY/MM/DD HH:mm:ss:SSS PID TID ProtocolTalker *FAILED* [80070426] Method failed [CAgentProtocolTalkerContext::DetermineServiceEndpoint:377] +YYYY/MM/DD HH:mm:ss:SSS PID TID ProtocolTalker *FAILED* [80070426] Initialization failed for Protocol Talker Context +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Exit code = 0x80070426 +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent * END * Finding updates CallerId = Update;taskhostw Id = 25 +``` + +The 0x80070426 error code translates to: +``` +ERROR_SERVICE_NOT_ACTIVE - # The service has not been started. +``` + +Microsoft Account Sign In Assistant (MSA or wlidsvc) is the service in question. The DCAT Flighting service (ServiceId: 855E8A7C-ECB4-4CA3-B045-1DFA50104289) relies on the Microsoft Account Sign In Assistant (MSA) to get the Global Device ID for the device. Without the MSA service running, the global device ID will not be generated and sent by the client and the search for feature updates never completes successfully. + +In order to solve this issue, we need to reset the MSA service to the default StartType of manual. + +## Issues related to HTTP/Proxy +Windows Update uses WinHttp with Partial Range requests (RFC 7233) to download updates and applications from Windows Update servers or on-premises WSUS servers. Because of this proxy servers configured on the network must support HTTP RANGE requests. If a proxy was configured in Internet Explorer (User level) but not in WinHTTP (System level), connections to Windows Update will fail. + +To fix this issue, configure a proxy in WinHTTP by using the following netsh command: + +``` +netsh winhttp set proxy ProxyServerName:PortNumber +``` + +>[!NOTE] +> You can also import the proxy settings from Internet Explorer by using the following command: netsh winhttp import proxy source=ie + +If downloads through a proxy server fail with a 0x80d05001 DO_E_HTTP_BLOCKSIZE_MISMATCH error, or if you notice high CPU usage while updates are downloading, check the proxy configuration to permit HTTP RANGE requests to run. + +You may choose to apply a rule to permit HTTP RANGE requests for the following URLs: + +*.download.windowsupdate.com +*.dl.delivery.mp.microsoft.com +*.emdl.ws.microsoft.com + +If you cannot permit RANGE requests, keep in mind that this means you are downloading more content than needed in updates (as delta patching will not work). + + +## The update is not applicable to your computer +The most common reasons for this error are described in the following table: + +|Cause|Explanation|Resolution| +|-----|-----------|----------| +|Update is superseded|As updates for a component are released, the updated component will supersede an older component that is already on the system. When this occurs, the previous update is marked as superseded. If the update that you're trying to install already has a newer version of the payload on your system, you may encounter this error message.|Check that the package that you are installing contains newer versions of the binaries. Or, check that the package is superseded by another new package. | +|Update is already installed|If the update that you're trying to install was previously installed, for example, by another update that carried the same payload, you may encounter this error message.|Verify that the package that you are trying to install was not previously installed.| +|Wrong update for architecture|Updates are published by CPU architecture. If the update that you're trying to install does not match the architecture for your CPU, you may encounter this error message. |Verify that the package that you're trying to install matches the Windows version that you are using. The Windows version information can be found in the "Applies To" section of the article for each update. For example, Windows Server 2012-only updates cannot be installed on Windows Server 2012 R2-based computers.
Also, verify that the package that you are installing matches the processor architecture of the Windows version that you are using. For example, an x86-based update cannot be installed on x64-based installations of Windows. | +|Missing prerequisite update|Some updates require a prerequisite update before they can be applied to a system. If you are missing a prerequisite update, you may encounter this error message. For example, KB 2919355 must be installed on Windows 8.1 and Windows Server 2012 R2 computers before many of the updates that were released after April 2014 can be installed.|Check the related articles about the package in the Microsoft Knowledge Base (KB) to make sure that you have the prerequisite updates installed. For example, if you encounter the error message on Windows 8.1 or Windows Server 2012 R2, you may have to install the April 2014 update 2919355 as a prerequisite and one or more pre-requisite servicing updates (KB 2919442 and KB 3173424).
Note: To determine if these prerequisite updates are installed, run the following PowerShell command:
get-hotfix KB3173424,KB2919355,KB2919442
If the updates are installed, the command will return the installed date in the "InstalledOn" section of the output. + +## Issues related to firewall configuration +Error that may be seen in the WU logs: +``` +DownloadManager Error 0x800706d9 occurred while downloading update; notifying dependent calls. +``` +Or +``` +[DownloadManager] BITS job {A4AC06DD-D6E6-4420-8720-7407734FDAF2} hit a transient error, updateId = {D053C08A-6250-4C43-A111-56C5198FE142}.200 , error = 0x800706D9 +``` +Or +``` +DownloadManager [0]12F4.1FE8::09/29/2017-13:45:08.530 [agent]DO job {C6E2F6DC-5B78-4608-B6F1-0678C23614BD} hit a transient error, updateId = 5537BD35-BB74-40B2-A8C3-B696D3C97CBA.201 , error = 0x80D0000A +``` + +Go to Services.msc and ensure that Windows Firewall Service is enabled. Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft. For more information, see [I need to disable Windows Firewall](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766337(v=ws.10)). + +## Issues arising from configuration of conflicting policies +Windows Update provides a wide range configuration policies to control the behavior of WU service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting polices may lead to unexpected behaviors. + +See [How to configure automatic updates by using Group Policy or registry settings](https://support.microsoft.com/help/328010/how-to-configure-automatic-updates-by-using-group-policy-or-registry-s) for more information. + + +## Updates aren't downloading from the intranet endpoint (WSUS/SCCM) +Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps: +1. Start Windows PowerShell as an administrator +2. Run \$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager". +3. Run \$MUSM.Services. + +Check the output for the Name and OffersWindowsUPdates parameters, which you can interpret according to this table. + +|Output|Interpretation| +|-|-| +|- Name: Microsoft Update
-OffersWindowsUpdates: True| - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered.
- Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.) | +|- Name: DCat Flighting Prod
- OffersWindowsUpdates: True |- Starting with Windows 10 1709, feature updates are always delivered through the DCAT service.
- Indicates that the client is configured to receive feature updates from Windows Update. | +|- Name: Windows Store (DCat Prod)
- OffersWindowsUpdates: False |-The update source is Insider Updates for Store Apps.
- Indicates that the client will not receive or is not configured to receive these updates.| +|- Name: Windows Server Update Service
- OffersWindowsUpdates: True |- The source is a Windows Server Updates Services server.
- The client is configured to receive updates from WSUS. | +|- Name: Windows Update
- OffersWindowsUpdates: True|- The source is Windows Update.
- The client is configured to receive updates from Windows Update Online.| + +## You have a bad setup in the environment +If we look at the GPO being set through registry, the system is configured to use WSUS to download updates: + +``` +HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] +"UseWUServer"=dword:00000001 ===================================> it says use WSUS server. +``` + +From the WU logs: +``` +2018-08-06 09:33:31:085 480 1118 Agent ** START ** Agent: Finding updates [CallerId = OperationalInsight Id = 49] +2018-08-06 09:33:31:085 480 1118 Agent ********* +2018-08-06 09:33:31:085 480 1118 Agent * Include potentially superseded updates +2018-08-06 09:33:31:085 480 1118 Agent * Online = No; Ignore download priority = No +2018-08-06 09:33:31:085 480 1118 Agent * Criteria = "IsHidden = 0 AND DeploymentAction=*" +2018-08-06 09:33:31:085 480 1118 Agent * ServiceID = {00000000-0000-0000-0000-000000000000} Third party service +2018-08-06 09:33:31:085 480 1118 Agent * Search Scope = {Machine} +2018-08-06 09:33:32:554 480 1118 Agent * Found 83 updates and 83 categories in search; evaluated appl. rules of 517 out of 1473 deployed entities +2018-08-06 09:33:32:554 480 1118 Agent ********* +2018-08-06 09:33:32:554 480 1118 Agent ** END ** Agent: Finding updates [CallerId = OperationalInsight Id = 49] +``` + +In the above log snippet, we see that the Criteria = "IsHidden = 0 AND DeploymentAction=*". "*" means there is nothing specified from the server. So, the scan happens but there is no direction to download or install to the agent. So it just scans the update and provides the results. + +Now if you look at the below logs, the Automatic update runs the scan and finds no update approved for it. So it reports there are 0 updates to install or download. This is due to bad setup or configuration in the environment. The WSUS side should approve the patches for WU so that it fetches the updates and installs it on the specified time according to the policy. Since this scenario doesn't include SCCM, there's no way to install unapproved updates. And that is the problem you are facing. You expect that the scan should be done by the operational insight agent and automatically trigger download and install but that won’t happen here. + +``` +2018-08-06 10:58:45:992 480 5d8 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57] +2018-08-06 10:58:45:992 480 5d8 Agent ********* +2018-08-06 10:58:45:992 480 5d8 Agent * Online = Yes; Ignore download priority = No +2018-08-06 10:58:45:992 480 5d8 Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1" + +2018-08-06 10:58:46:617 480 5d8 PT + SyncUpdates round trips: 2 +2018-08-06 10:58:47:383 480 5d8 Agent * Found 0 updates and 83 categories in search; evaluated appl. rules of 617 out of 1473 deployed entities +2018-08-06 10:58:47:383 480 5d8 Agent Reporting status event with 0 installable, 83 installed, 0 installed pending, 0 failed and 0 downloaded updates +2018-08-06 10:58:47:383 480 5d8 Agent ********* +2018-08-06 10:58:47:383 480 5d8 Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57] +``` + +## High bandwidth usage on Windows 10 by Windows Update +Users may see that Windows 10 is consuming all the bandwidth in the different offices under the system context. This behavior is by design. Components that may consume bandwidth expand beyond Windows Update components. + +The following group policies can help mitigate this: + +- Blocking access to Windows Update servers: [Policy Turn off access to all Windows Update features](http://gpsearch.azurewebsites.net/#4728) (Set to enabled) +- Driver search: [Policy Specify search order for device driver source locations](http://gpsearch.azurewebsites.net/#183) (Set to "Do not search Windows Update") +- Windows Store automatic update: [Policy Turn off Automatic Download and Install of updates](http://gpsearch.azurewebsites.net/#10876) (Set to enabled) + +Other components that reach out to the internet: + +- Windows Spotlight: [Policy Configure Windows spotlight on lock screen](http://gpsearch.azurewebsites.net/#13362) (Set to disabled) +- Consumer experiences: [Policy Turn off Microsoft consumer experiences](http://gpsearch.azurewebsites.net/#13329) (Set to enabled) +- Background traffic from Windows apps: [Policy Let Windows apps run in the background](http://gpsearch.azurewebsites.net/#13571) diff --git a/windows/deployment/update/wufb-autoupdate.md b/windows/deployment/update/wufb-autoupdate.md index 9bdabe44ba..0d7b34374e 100644 --- a/windows/deployment/update/wufb-autoupdate.md +++ b/windows/deployment/update/wufb-autoupdate.md @@ -1,37 +1,39 @@ ---- -title: Setting up Automatic Update in Windows Update for Business (Windows 10) -description: Learn how to get started using Windows Update for Business. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.audience: itpro author: greg-lindsay -ms.date: 06/20/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Set up Automatic Update in Windows Update for Business with group policies - ->Applies to: Windows 10 - -Use the Automatic Update group policies to manage the interaction between Windows Update and clients. - -Automatic Update governs the "behind the scenes" download and installation processes. It's important to keep in mind the device limitation in your environment as the download and install process can consume processing power. The below section outlines the ideal configuration for devices with the least amount of user experience degradation. - -|Policy|Description | -|-|-| -|Configure Automatic Updates|Governs the installation activity that happens in the background. This allows you to configure the installation to happen during the [maintenance window](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). Also, you can specify an installation time where the device will also try to install the latest packages. You can also pick a certain day and or week.| -|Automatic Update Detection Frequency|Lets you set the scan frequency the device will use to connect to Windows Update to see if there is any available content. Default is 22 hours, but you can increase or decrease the frequency. Keep in mind a desktop computer may need to scan less frequently than laptops, which can have intermittent internet connection.| -|Specify Intranet Microsoft Update Service Location|Used for Windows Server Update Services or System Center Configuration Manager users who want to install custom packages that are not offered through Windows Update.| -|Do not connect to any Windows Update Internet locations
Required for Dual Scan|Prevents access to Windows Update.| - -## Suggested configuration - -|Policy|Location|Suggested configuration| -|-|-|-| -|Configure Automatic Updates| GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates| **Attention**: If you are using this policy, don't set it/configure it to get the default behavior. If you have set this policy, delete the reg key. This ensures the device uses the default behavior. Note that this is not the same as the default setting within the policy.

**Default behavior**: Download and installation happen automatically. The device will then be in a pending reboot state.

**Pro tip**: You can configure the scan frequency to be more frequent with the policy below.| -|Automatic Update Detection Frequency|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Automatic Updates detection frequency|State: Enabled
**Check for updates on the following interval (hours)**: 22| -|Do not connect to any Windows Update Internet locations (Required for Dual Scan) | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not connect to any Windows Update Internet locations |State: Disabled | +--- +title: Setting up Automatic Update in Windows Update for Business (Windows 10) +description: Learn how to get started using Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationprioauthor: jaimeo +ms.audience: itpro +author: jaimeo +ms.date: 06/20/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Set up Automatic Update in Windows Update for Business with group policies + +>Applies to: Windows 10 + +Use the Automatic Update group policies to manage the interaction between Windows Update and clients. + +Automatic Update governs the "behind the scenes" download and installation processes. It's important to keep in mind the device limitation in your environment as the download and install process can consume processing power. The below section outlines the ideal configuration for devices with the least amount of user experience degradation. + +|Policy|Description | +|-|-| +|Configure Automatic Updates|Governs the installation activity that happens in the background. This allows you to configure the installation to happen during the [maintenance window](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). Also, you can specify an installation time where the device will also try to install the latest packages. You can also pick a certain day and or week.| +|Automatic Update Detection Frequency|Lets you set the scan frequency the device will use to connect to Windows Update to see if there is any available content. Default is 22 hours, but you can increase or decrease the frequency. Keep in mind a desktop computer may need to scan less frequently than laptops, which can have intermittent internet connection.| +|Specify Intranet Microsoft Update Service Location|Used for Windows Server Update Services or System Center Configuration Manager users who want to install custom packages that are not offered through Windows Update.| +|Do not connect to any Windows Update Internet locations
Required for Dual Scan|Prevents access to Windows Update.| + +## Suggested configuration + +|Policy|Location|Suggested configuration| +|-|-|-| +|Configure Automatic Updates| GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates| **Attention**: If you are using this policy, don't set it/configure it to get the default behavior. If you have set this policy, delete the reg key. This ensures the device uses the default behavior. Note that this is not the same as the default setting within the policy.

**Default behavior**: Download and installation happen automatically. The device will then be in a pending reboot state.

**Pro tip**: You can configure the scan frequency to be more frequent with the policy below.| +|Automatic Update Detection Frequency|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Automatic Updates detection frequency|State: Enabled
**Check for updates on the following interval (hours)**: 22| +|Do not connect to any Windows Update Internet locations (Required for Dual Scan) | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not connect to any Windows Update Internet locations |State: Disabled | diff --git a/windows/deployment/update/wufb-basics.md b/windows/deployment/update/wufb-basics.md index e1e9419e08..11483f0c9b 100644 --- a/windows/deployment/update/wufb-basics.md +++ b/windows/deployment/update/wufb-basics.md @@ -1,29 +1,31 @@ ---- -title: Configure the Basic group policy for Windows Update for Business -description: Learn how to get started using the Basic GPO in Windows Update for Business. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.audience: itpro author: greg-lindsay -ms.date: 06/20/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- -# Configure the Basic group policy for Windows Update for Business - -For Windows Update for Business configurations to work, devices need to be configured with minimum [diagnostic data](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization) level of "Basic." Additionally, compliance reporting for configured devices is obtained using [Update Compliance in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). To view your data in Update Compliance [diagnostics data must be enabled](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#set-diagnostic-data-levels) and the devices must be configured with a commercial ID, a unique GUID created for an enterprise at the time of onboarding to the Windows Analytics solution. - -|Policy name|Description | -|-|-| -|Allow Telemetry|Enables Microsoft to run diagnostics on your device and troubleshoot.| -|Configure Commercial ID|This policy allows you to join the device to an entity.| - -## Suggested configuration - -|Policy|Location|Suggested configuration| -|-|-|-| -|Allow Telemetry |GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow Telemetry |State: Enabled
**Option**: 1-Basic| -|Configure Commercial ID|GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Commercial ID |State: Enabled
**Commercial ID**: The GUID created for you at the time of onboarding to Windows Analytics| +--- +title: Configure the Basic group policy for Windows Update for Business +description: Learn how to get started using the Basic GPO in Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationprioauthor: jaimeo +ms.audience: itpro +author: jaimeo +ms.date: 06/20/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- +# Configure the Basic group policy for Windows Update for Business + +For Windows Update for Business configurations to work, devices need to be configured with minimum [diagnostic data](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization) level of "Basic." Additionally, compliance reporting for configured devices is obtained using [Update Compliance in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). To view your data in Update Compliance [diagnostics data must be enabled](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#set-diagnostic-data-levels) and the devices must be configured with a commercial ID, a unique GUID created for an enterprise at the time of onboarding to the Windows Analytics solution. + +|Policy name|Description | +|-|-| +|Allow Telemetry|Enables Microsoft to run diagnostics on your device and troubleshoot.| +|Configure Commercial ID|This policy allows you to join the device to an entity.| + +## Suggested configuration + +|Policy|Location|Suggested configuration| +|-|-|-| +|Allow Telemetry |GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow Telemetry |State: Enabled
**Option**: 1-Basic| +|Configure Commercial ID|GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Commercial ID |State: Enabled
**Commercial ID**: The GUID created for you at the time of onboarding to Windows Analytics| diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md index 1edad940a4..df08dd3caa 100644 --- a/windows/deployment/update/wufb-compliancedeadlines.md +++ b/windows/deployment/update/wufb-compliancedeadlines.md @@ -3,7 +3,6 @@ title: Enforce compliance deadlines with policies in Windows Update for Business description: Learn how to enforce compliance deadlines using Windows Update for Business. ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo diff --git a/windows/deployment/update/wufb-managedrivers.md b/windows/deployment/update/wufb-managedrivers.md index a43179a6a8..0fe22b0935 100644 --- a/windows/deployment/update/wufb-managedrivers.md +++ b/windows/deployment/update/wufb-managedrivers.md @@ -1,68 +1,70 @@ ---- -title: Managing drivers, dual-managed environments, and Delivery Optimization with group policies in Windows Update for Business -description: Learn how to manage drivers, dual managed environments, and bandwidth (Delivery Optimization) with GPOs in Windows Update for Business. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.audience: itpro author: greg-lindsay -ms.date: 06/21/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- -# Managing drivers, dual-managed environments, and Delivery Optimization with group policies - ->Applies to: Windows 10 - -Use the following group policy information to manage drivers, to manage environments using both Windows Update for Business and Windows Server Update Services, and to manage the bandwidth required for updates with Delivery Optimization. - -## Managing drivers -Windows Update for Business provides the ability to manage drivers from the Windows Update service. By default, drivers will be offered to your Windows Update-connected devices. Our guidance here is to continue to receive drivers from Windows Update. Alternatively, you can enable the following policy to stop receiving drivers from Windows Update. - -### Policy overview - -|Policy| Description | -|-|-| -|Do not include drivers with Windows Update |When enabled prevents Windows Update from offering drivers.| - -### Suggested configuration - -|Policy| Location|Suggested configuration | -|-|-|-| -|Do not include drivers with Windows Update |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates|State: Disabled | - -## Dual-managed environment - -You can use an on-premises catalog, like WSUS, to deploy 3rd Party patches and use Windows Update to deploy feature and quality updates. We provide capabilities to deploy content from both Windows Update Service and from WSUS. In addition to the policies for managing drivers, apply the following configurations to your environment. - -|Policy| Description | -|-|-| -|Specify Intranet Microsoft Update Service Location| Used for WSUS/System Center Configuration Manager customers who want to install custom packages that are not offered through Windows Update.| - -### Suggested configuration - -|Policy| Location|Suggested configuration | -|-|-|-| -|Specify Intranet Microsoft Update Service Location|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify Intranet Microsoft update service location|State: Enabled
**Set the Intranet Update service for detecting updates**:
**Set the Intranet statistics server**:
**Set the alternate download server**: | - -## Download Optimization - Managing your bandwidth - -[Delivery Optimization](waas-delivery-optimization.md) is Windows 10's built-in downloader and peer-caching technology that can benefit CSE for network bandwidth reduction of Windows 10 servicing updates. Windows 10 clients can source content from other devices on their local network that have already downloaded the same updates in addition to downloading these updates from Microsoft. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests. To configure devices for delivery optimization, ensure the following configurations are set. - -|Policy| Description | -|-|-| -|Download Mode| 2=HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2| -|Minimum Peer Caching Content File Size (in MB)|Specifies the minimum content file size in MB enabled to use peer caching.
Choose a size that meets your environment's constraints.| -|Allow uploads while the device is on battery while under set battery level (percentage)|Specify a battery level from 1-100, where the device will pause uploads once the battery level drops below that percentage. | -|Max Cache Age (in seconds)|Maximum number of seconds to keep data in cache.| - -### Suggested configuration - -|Policy| Location| Suggested configuration | -|-|-|-| -|Download Mode|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Download Mode|State: Enabled
**Download Mode**: Group (2)| -|Minimum Peer Caching Content File Size (in MB)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Minimum Peer Caching Content File Size (in MB)|State: Enabled
**Minimum Peer caching content file size (in MB)**: 10 MB| -|Allow uploads while the device is on battery while under set battery level (percentage)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Allow uploads while the device is on battery while under set battery level (percentage)|State: Enabled
**Minimum battery level (Percentage)**: 60| -|Max Cache Age (in seconds)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Max Cache Age (in seconds)|State: Enabled
**Max Cache Age (in seconds)**: 604800 ~ 7 days| +--- +title: Managing drivers, dual-managed environments, and Delivery Optimization with group policies in Windows Update for Business +description: Learn how to manage drivers, dual managed environments, and bandwidth (Delivery Optimization) with GPOs in Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationprioauthor: jaimeo +ms.audience: itpro +author: jaimeo +ms.date: 06/21/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- +# Managing drivers, dual-managed environments, and Delivery Optimization with group policies + +>Applies to: Windows 10 + +Use the following group policy information to manage drivers, to manage environments using both Windows Update for Business and Windows Server Update Services, and to manage the bandwidth required for updates with Delivery Optimization. + +## Managing drivers +Windows Update for Business provides the ability to manage drivers from the Windows Update service. By default, drivers will be offered to your Windows Update-connected devices. Our guidance here is to continue to receive drivers from Windows Update. Alternatively, you can enable the following policy to stop receiving drivers from Windows Update. + +### Policy overview + +|Policy| Description | +|-|-| +|Do not include drivers with Windows Update |When enabled prevents Windows Update from offering drivers.| + +### Suggested configuration + +|Policy| Location|Suggested configuration | +|-|-|-| +|Do not include drivers with Windows Update |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates|State: Disabled | + +## Dual-managed environment + +You can use an on-premises catalog, like WSUS, to deploy 3rd Party patches and use Windows Update to deploy feature and quality updates. We provide capabilities to deploy content from both Windows Update Service and from WSUS. In addition to the policies for managing drivers, apply the following configurations to your environment. + +|Policy| Description | +|-|-| +|Specify Intranet Microsoft Update Service Location| Used for WSUS/System Center Configuration Manager customers who want to install custom packages that are not offered through Windows Update.| + +### Suggested configuration + +|Policy| Location|Suggested configuration | +|-|-|-| +|Specify Intranet Microsoft Update Service Location|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify Intranet Microsoft update service location|State: Enabled
**Set the Intranet Update service for detecting updates**:
**Set the Intranet statistics server**:
**Set the alternate download server**: | + +## Download Optimization - Managing your bandwidth + +[Delivery Optimization](waas-delivery-optimization.md) is Windows 10's built-in downloader and peer-caching technology that can benefit CSE for network bandwidth reduction of Windows 10 servicing updates. Windows 10 clients can source content from other devices on their local network that have already downloaded the same updates in addition to downloading these updates from Microsoft. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests. To configure devices for delivery optimization, ensure the following configurations are set. + +|Policy| Description | +|-|-| +|Download Mode| 2=HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2| +|Minimum Peer Caching Content File Size (in MB)|Specifies the minimum content file size in MB enabled to use peer caching.
Choose a size that meets your environment's constraints.| +|Allow uploads while the device is on battery while under set battery level (percentage)|Specify a battery level from 1-100, where the device will pause uploads once the battery level drops below that percentage. | +|Max Cache Age (in seconds)|Maximum number of seconds to keep data in cache.| + +### Suggested configuration + +|Policy| Location| Suggested configuration | +|-|-|-| +|Download Mode|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Download Mode|State: Enabled
**Download Mode**: Group (2)| +|Minimum Peer Caching Content File Size (in MB)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Minimum Peer Caching Content File Size (in MB)|State: Enabled
**Minimum Peer caching content file size (in MB)**: 10 MB| +|Allow uploads while the device is on battery while under set battery level (percentage)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Allow uploads while the device is on battery while under set battery level (percentage)|State: Enabled
**Minimum battery level (Percentage)**: 60| +|Max Cache Age (in seconds)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Max Cache Age (in seconds)|State: Enabled
**Max Cache Age (in seconds)**: 604800 ~ 7 days| diff --git a/windows/deployment/update/wufb-manageupdate.md b/windows/deployment/update/wufb-manageupdate.md index 6ba3572c05..f1513ece69 100644 --- a/windows/deployment/update/wufb-manageupdate.md +++ b/windows/deployment/update/wufb-manageupdate.md @@ -1,59 +1,61 @@ ---- -title: Managing feature and quality updates with policies in Windows Update for Business (Windows 10) -description: Learn how to get started using Windows Update for Business. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.audience: itpro author: greg-lindsay -ms.date: 06/20/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Manage feature and quality updates with group policies - ->Applies to: Windows 10 - -Windows Update for Business allows users to control when devices should receive a feature or quality update from Windows Update. Depending on the size of your organization you may want to do a wave deployment of updates. The first step in this process is to determine which Branch Readiness Level you want your organization on. For more information on which level is right for your organization review [Overview of Windows as a service](waas-overview.md). - -The following policies let you configure when you want a device to see a feature and or quality update from Windows Update. - -## Policy overview - -|Policy name| Description | -|-|-| -|Select when Quality Updates are received|Configures when the device should receive quality update. In this policy you can also select a date to pause receiving Quality Updates until. | -|Select when Preview Builds & feature Updates are received|Configures when the device should receive a feature update. You can also configure your branch readiness level. This policy also provides the ability to "pause" updates until a certain point. | -|Do not allow update deferral policies to cause scans against Windows Update|When enabled will not allow the deferral policies to cause scans against Windows Update.| - -## Suggested configuration for a non-wave deployment - -If you don't need a wave deployment and have a small set of devices to manage, we recommend the following configuration: - -|Policy| Location|Suggested configuration | -|-|-|-| -|Select when Quality Updates are received | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are received|State: Enabled
**Defer receiving it for this many days**: 0
**Pause Quality Updates**: Blank
*Note: use this functionality to prevent the device from receiving a quality update until the time passes| -|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
**Select Windows Readiness Level**: SAC
**Defer receiving for this many days**: 0-365
**Pause Feature Updates**: Blank
*Note: use this functionality to prevent the device from receiving a feature update until the time passes| -|Do not allow update deferral policies to cause scans against Windows Update|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not allow update deferral policies to cause scans against Windows Update|State: Disabled| - -## Suggested configuration for a wave deployment -![Graphic showing a deployment divided into rings for a wave deployment](images/wufb-wave-deployment.png) - -## Early validation and testing -Depending on your organizational size and requirements you might be able to test feature updates earlier to identify if there are impacts to Line of Business applications. Our recommendation is to enroll a set of devices that are a good representation of your device ecosystem (for example, devices with accounting software or engineering software). Learn more about [different deployment rings](https://insider.windows.com/how-to-pc/#working-with-rings). - -|Policy|Location|Suggested configuration | -|-|-|-| -|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
**Select Windows Readiness Level**: WIP Fast or WIP slow
**Defer receiving for this many days**: 0
**Pause Feature Updates**: Blank *Note: use this functionality to prevent the device from receiving a feature update until the time passes.| -|Select when Quality Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are received|State: Enabled
**Defer receiving it for this many days**: 0
**Pause Quality Updates**: Blank
*Note: use this functionality to prevent the device from receiving a quality update until the time passes| - -## Wave deployment for feature updates - -If you want to deploy feature updates in waves we suggest using the following configuration. For the deferral days we recommend staging them out in 1-month increments. Manage your risk by placing critical devices later in the wave (deferrals > 30 or 60 days) while placing your low risk devices earlier in the wave (deferrals < 30 days). Using deferrals days is a great method to manage your wave deployment. Using this in combination with our suggested early validation will help you prepare your environment for the latest updates from Windows. - -|Policy|Location|Suggested configuration | -|-|-|-| -|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
**Select Windows Readiness Level**: SAC
**Defer receiving for this many days**: 0, 30, 60, 90, 120
**Pause Feature Updates**: Blank
*Note: use this functionality to prevent the device from receiving a feature update until the time passes +--- +title: Managing feature and quality updates with policies in Windows Update for Business (Windows 10) +description: Learn how to get started using Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationprioauthor: jaimeo +ms.audience: itpro +author: jaimeo +ms.date: 06/20/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Manage feature and quality updates with group policies + +>Applies to: Windows 10 + +Windows Update for Business allows users to control when devices should receive a feature or quality update from Windows Update. Depending on the size of your organization you may want to do a wave deployment of updates. The first step in this process is to determine which Branch Readiness Level you want your organization on. For more information on which level is right for your organization review [Overview of Windows as a service](waas-overview.md). + +The following policies let you configure when you want a device to see a feature and or quality update from Windows Update. + +## Policy overview + +|Policy name| Description | +|-|-| +|Select when Quality Updates are received|Configures when the device should receive quality update. In this policy you can also select a date to pause receiving Quality Updates until. | +|Select when Preview Builds & feature Updates are received|Configures when the device should receive a feature update. You can also configure your branch readiness level. This policy also provides the ability to "pause" updates until a certain point. | +|Do not allow update deferral policies to cause scans against Windows Update|When enabled will not allow the deferral policies to cause scans against Windows Update.| + +## Suggested configuration for a non-wave deployment + +If you don't need a wave deployment and have a small set of devices to manage, we recommend the following configuration: + +|Policy| Location|Suggested configuration | +|-|-|-| +|Select when Quality Updates are received | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are received|State: Enabled
**Defer receiving it for this many days**: 0
**Pause Quality Updates**: Blank
*Note: use this functionality to prevent the device from receiving a quality update until the time passes| +|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
**Select Windows Readiness Level**: SAC
**Defer receiving for this many days**: 0-365
**Pause Feature Updates**: Blank
*Note: use this functionality to prevent the device from receiving a feature update until the time passes| +|Do not allow update deferral policies to cause scans against Windows Update|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not allow update deferral policies to cause scans against Windows Update|State: Disabled| + +## Suggested configuration for a wave deployment +![Graphic showing a deployment divided into rings for a wave deployment](images/wufb-wave-deployment.png) + +## Early validation and testing +Depending on your organizational size and requirements you might be able to test feature updates earlier to identify if there are impacts to Line of Business applications. Our recommendation is to enroll a set of devices that are a good representation of your device ecosystem (for example, devices with accounting software or engineering software). Learn more about [different deployment rings](https://insider.windows.com/how-to-pc/#working-with-rings). + +|Policy|Location|Suggested configuration | +|-|-|-| +|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
**Select Windows Readiness Level**: WIP Fast or WIP slow
**Defer receiving for this many days**: 0
**Pause Feature Updates**: Blank *Note: use this functionality to prevent the device from receiving a feature update until the time passes.| +|Select when Quality Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are received|State: Enabled
**Defer receiving it for this many days**: 0
**Pause Quality Updates**: Blank
*Note: use this functionality to prevent the device from receiving a quality update until the time passes| + +## Wave deployment for feature updates + +If you want to deploy feature updates in waves we suggest using the following configuration. For the deferral days we recommend staging them out in 1-month increments. Manage your risk by placing critical devices later in the wave (deferrals > 30 or 60 days) while placing your low risk devices earlier in the wave (deferrals < 30 days). Using deferrals days is a great method to manage your wave deployment. Using this in combination with our suggested early validation will help you prepare your environment for the latest updates from Windows. + +|Policy|Location|Suggested configuration | +|-|-|-| +|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
**Select Windows Readiness Level**: SAC
**Defer receiving for this many days**: 0, 30, 60, 90, 120
**Pause Feature Updates**: Blank
*Note: use this functionality to prevent the device from receiving a feature update until the time passes diff --git a/windows/deployment/update/wufb-onboard.md b/windows/deployment/update/wufb-onboard.md index 98d62be2fa..058f595090 100644 --- a/windows/deployment/update/wufb-onboard.md +++ b/windows/deployment/update/wufb-onboard.md @@ -1,47 +1,49 @@ ---- -title: Onboarding to Windows Update for Business (Windows 10) -description: Learn how to get started using Windows Update for Business. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.audience: itpro author: greg-lindsay -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Onboarding to Windows Update for Business in Windows 10 - ->Applies to: Windows 10 - -Windows Update for Business is a tool that enables IT pros and power users to manage content they want to receive from Windows Update Service. Windows Update for Business can control the following: - -- Interaction between the client and Windows Update service -- End user notification for pending updates -- Compliance deadlines for feature or quality updates -- Configure wave deployment for feature or quality updates bandwidth optimization - -We also provide additional functionality to manage your environment when risk or issues arise such as applications being blocked: - -- Uninstall latest feature or quality update -- Pause for a duration of time - -Use the following information to set up your environment using Windows Update for Business policies: - -- [Supported SKUs](#supported-editions) -- [Windows Update for Business basics](wufb-basics.md) -- [Setting up automatic update](wufb-autoupdate.md) -- [Managing feature and quality updates](wufb-manageupdate.md) -- [Enforcing compliance deadlines](wufb-compliancedeadlines.md) -- [Managing drivers, environments with both Windows Update for Business and WSUS, and Download Optmization](wufb-managedrivers.md) - -## Supported editions - -Windows Update for Business is supported on the following editions of Windows 10: - -- Windows 10 Education -- Windows 10 Enterprise -- Windows 10 Pro -- Windows 10 S (for Windows 10, version 1709 and earlier) +--- +title: Onboarding to Windows Update for Business (Windows 10) +description: Learn how to get started using Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationprioauthor: jaimeo +ms.audience: itpro +author: jaimeo +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Onboarding to Windows Update for Business in Windows 10 + +>Applies to: Windows 10 + +Windows Update for Business is a tool that enables IT pros and power users to manage content they want to receive from Windows Update Service. Windows Update for Business can control the following: + +- Interaction between the client and Windows Update service +- End user notification for pending updates +- Compliance deadlines for feature or quality updates +- Configure wave deployment for feature or quality updates bandwidth optimization + +We also provide additional functionality to manage your environment when risk or issues arise such as applications being blocked: + +- Uninstall latest feature or quality update +- Pause for a duration of time + +Use the following information to set up your environment using Windows Update for Business policies: + +- [Supported SKUs](#supported-editions) +- [Windows Update for Business basics](wufb-basics.md) +- [Setting up automatic update](wufb-autoupdate.md) +- [Managing feature and quality updates](wufb-manageupdate.md) +- [Enforcing compliance deadlines](wufb-compliancedeadlines.md) +- [Managing drivers, environments with both Windows Update for Business and WSUS, and Download Optmization](wufb-managedrivers.md) + +## Supported editions + +Windows Update for Business is supported on the following editions of Windows 10: + +- Windows 10 Education +- Windows 10 Enterprise +- Windows 10 Pro +- Windows 10 S (for Windows 10, version 1709 and earlier) diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md index 6d2dc8e363..c57477e5a0 100644 --- a/windows/deployment/windows-autopilot/add-devices.md +++ b/windows/deployment/windows-autopilot/add-devices.md @@ -1,162 +1,163 @@ ---- -title: Adding devices -ms.reviewer: -manager: laurawi -description: How to add devices to Windows Autopilot -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Adding devices to Windows Autopilot - -**Applies to** - -- Windows 10 - -Before deploying a device using Windows Autopilot, the device must be registered with the Windows Autopilot deployment service. Ideally, this would be performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually. - -## OEM registration - -When you purchase devices directly from an OEM, that OEM can automatically register the devices with the Windows Autopilot deployment service. For the list of OEMs that currently support this, see the "Participant device manufacturers" section of the [Windows Autopilot information page](https://www.microsoft.com/windowsforbusiness/windows-autopilot). - -Before an OEM can register devices on behalf of an organization, the organization must grant the OEM permission to do so. This process is initiated by the OEM, with approval granted by an Azure AD global administrator from the organization. See the "Customer Consent" section of the [Customer consent page](https://docs.microsoft.com/windows/deployment/windows-autopilot/registration-auth#oem-authorization). - -## Reseller, distributor, or partner registration - -Customers may purchase devices from resellers, distributors, or other partners. As long as these resellers, distributors, and partners are part of the [Cloud Solution Partners (CSP) program](https://partner.microsoft.com/en-us/cloud-solution-provider), they too can register devices on behalf of the customer. - -As with OEMs, CSP parnters must be granted permission to register devices on behalf of an organization. This follows the process described on the [Customer consent page](https://docs.microsoft.com/windows/deployment/windows-autopilot/registration-auth#csp-authorization). The CSP partner initiates a request to establish a relationship with the organization, with approval granted by a global administrator from the organization. Once approved, CSP partners add devices using [Partner Center](https://partner.microsoft.com/en-us/pcv/dashboard/overview), either directly through the web site or via available APIs that can automate the same tasks. - -Windows Autopilot does not require delegated administrator permissions when establishing the relationship between the CSP partner and the organization. As part of the approval process performed by the global administrator, the global administrator can choose to uncheck the "Include delegated administration permissions" checkbox. - -## Automatic registration of existing devices - -If an existing device is already running Windows 10 version 1703 or later and enrolled in an MDM service such an Intune, that MDM service can ask the device for the hardware ID (also known as a hardware hash). Once it has that, it can automatically register the device with Windows Autopilot. - -For instructions on how to do this with Microsoft Intune, see [Create an Autopilot deployment profile](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-deployment-profile) documentation describing the "Convert all targeted devices to Autopilot" setting. - -Also note that when using the [Windows Autopilot for existing devices](https://docs.microsoft.com/windows/deployment/windows-autopilot/existing-devices) scenario, it is not necessary to pre-register the devices with Windows Autopilot. Instead, a configuration file (AutopilotConfigurationFile.json) containing all the Windows Autopilot profile settings is used; the device can be registered with Windows Autopilot after the fact using the same "Convert all targeted devices to Autopilot" setting. - -## Manual registration - -To perform manual registration of a device, you must first capture its hardware ID (also known as a hardware hash). Once this process has completed, the resulting hardware ID can be uploaded to the Windows Autopilot service. Because this process requires booting the device into Windows 10 in order to obtain the hardware ID, this is intended primarily for testing and evaluation scenarios. - -## Device identification - -To define a device to the Windows Autopilot deployment service, a unique hardware ID for the device needs to be captured and uploaded to the service. While this step is ideally done by the hardware vendor (OEM, reseller, or distributor), automatically associating the device with an organization, it is also possible to do this through a harvesting process that collects the device from within a running Windows 10 version 1703 or later installation. - -The hardware ID, also commonly referred to as a hardware hash, contains several details about the device, including its manufacturer, model, device serial number, hard drive serial number, and many other attributes that can be used to uniquely identify that device. - -Note that the hardware hash also contains details about when it was generated, so it will change each time it is generated. When the Windows Autopilot deployment service attempts to match a device, it considers changes like that, as well as more substantial changes such as a new hard drive, and is still able to match successfully. But substantial changes to the hardware, such as a motherboard replacement, would not match, so a new hash would need to be generated and uploaded. - -### Collecting the hardware ID from existing devices using System Center Configuration Manager - -Starting with System Center Configuration Manager current branch version 1802, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [What’s new in version 1802](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details. The hash information can be extracted from Configuration Manager into a CSV file. - -### Collecting the hardware ID from existing devices using PowerShell - -The hardware ID, or hardware hash, for an existing device is available through Windows Management Instrumentation (WMI), as long as that device is running Windows 10 version 1703 or later. To help gather this information, as well as the serial number of the device (useful to see at a glance the machine to which it belongs), a PowerShell script called [Get-WindowsAutoPilotInfo.ps1 has been published to the PowerShell Gallery website](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo). - -To use this script, you can download it from the PowerShell Gallery and run it on each computer, or you can install it directly from the PowerShell Gallery. To install it directly and capture the hardware hash from the local computer, use the following commands from an elevated Windows PowerShell prompt: - -```powershell -md c:\\HWID -Set-Location c:\\HWID -Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Install-Script -Name Get-WindowsAutoPilotInfo -Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv -``` - -The commands can also be run remotely, as long as WMI permissions are in place and WMI is accessible through the Windows Firewall on that remote computer. See the [Get-WindowsAutoPilotInfo](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) script’s help (using “Get-Help Get-WindowsAutoPilotInfo.ps1”) for more information about running the script. - ->[!IMPORTANT] ->Do not connect devices to the Internet prior to capturing the hardware ID and creating an Autopilot device profile. This includes collecting the hardware ID, uploading the .CSV into MSfB or Intune, assigning the profile, and confirming the profile assignment. Connecting the device to the Internet before this process is complete will result in the device downloading a blank profile that is stored on the device until it is explicity removed. In Windows 10 version 1809, you can clear the cached profile by restarting OOBE. In previous versions, the only way to clear the stored profile is to re-install the OS, reimage the PC, or run **sysprep /generalize /oobe**.
->After Intune reports the profile ready to go, only then should the device be connected to the Internet. - ->[!NOTE] ->If OOBE is restarted too many times it can enter a recovery mode and fail to run the Autopilot configuration. You can identify this scenario if OOBE displays multiple configuration options on the same page, including language, region, and keyboard layout. The normal OOBE displays each of these on a separate page. The following value key tracks the count of OOBE retries:
->**HKCU\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UserOOBE**
->To ensure OOBE has not been restarted too many times, you can change this value to 1. - -## Registering devices - - - - -Once the hardware IDs have been captured from existing devices, they can be uploaded through a variety of means. See the detailed documentation for each available mechanism. - -- [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot). This is the preferred mechanism for all customers. -- [Partner Center](https://msdn.microsoft.com/partner-center/autopilot). This is used by CSP partners to register devices on behalf of customers. -- [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa). This is typically used by small and medium businesses (SMBs) who manage their devices using Microsoft 365 Business. -- [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles). You might already be using MSfB to manage your apps and settings. - -A summary of each platform's capabilities is provided below. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Platform/Portal -Register devices? -Create/Assign profile -Acceptable DeviceID -
OEM Direct APIYES - 1000 at a time maxNOTuple or PKID
Partner CenterYES - 1000 at a time maxYESTuple or PKID or 4K HH
IntuneYES - 500 at a time max\*YES\*4K HH
Microsoft Store for BusinessYES - 1000 at a time maxYES4K HH
Microsoft Business 365YES - 1000 at a time maxYES4K HH
- ->*Microsoft recommended platform to use - -## Summary - -When deploying new devices using Windows Autopilot, the following steps are required: - -1. [Register devices](#registering-devices). Ideally, this step is performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually. -2. [Configure device profiles](profiles.md), specifying how the device should be deployed and what user experience should be presented. -3. Boot the device. When the device is connected to a network with internet access, it will contact the Windows Autopilot deployment service to see if the device is registered, and if it is, it will download profile settings such as the [Enrollment Status page](enrollment-status.md), which are used to customize the end user experience. - -## Other configuration settings - -- [Bitlocker encryption settings](bitlocker.md): You can configure the BitLocker encryption settings to be applied before automatic encryption is started. - +--- +title: Adding devices +ms.reviewer: +manager: laurawi +description: How to add devices to Windows Autopilot +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro +author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Adding devices to Windows Autopilot + +**Applies to** + +- Windows 10 + +Before deploying a device using Windows Autopilot, the device must be registered with the Windows Autopilot deployment service. Ideally, this would be performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually. + +## OEM registration + +When you purchase devices directly from an OEM, that OEM can automatically register the devices with the Windows Autopilot deployment service. For the list of OEMs that currently support this, see the "Participant device manufacturers" section of the [Windows Autopilot information page](https://www.microsoft.com/windowsforbusiness/windows-autopilot). + +Before an OEM can register devices on behalf of an organization, the organization must grant the OEM permission to do so. This process is initiated by the OEM, with approval granted by an Azure AD global administrator from the organization. See the "Customer Consent" section of the [Customer consent page](https://docs.microsoft.com/windows/deployment/windows-autopilot/registration-auth#oem-authorization). + +## Reseller, distributor, or partner registration + +Customers may purchase devices from resellers, distributors, or other partners. As long as these resellers, distributors, and partners are part of the [Cloud Solution Partners (CSP) program](https://partner.microsoft.com/en-us/cloud-solution-provider), they too can register devices on behalf of the customer. + +As with OEMs, CSP partners must be granted permission to register devices on behalf of an organization. This follows the process described on the [Customer consent page](https://docs.microsoft.com/windows/deployment/windows-autopilot/registration-auth#csp-authorization). The CSP partner initiates a request to establish a relationship with the organization, with approval granted by a global administrator from the organization. Once approved, CSP partners add devices using [Partner Center](https://partner.microsoft.com/en-us/pcv/dashboard/overview), either directly through the web site or via available APIs that can automate the same tasks. + +Windows Autopilot does not require delegated administrator permissions when establishing the relationship between the CSP partner and the organization. As part of the approval process performed by the global administrator, the global administrator can choose to uncheck the "Include delegated administration permissions" checkbox. + +## Automatic registration of existing devices + +If an existing device is already running Windows 10 version 1703 or later and enrolled in an MDM service such an Intune, that MDM service can ask the device for the hardware ID (also known as a hardware hash). Once it has that, it can automatically register the device with Windows Autopilot. + +For instructions on how to do this with Microsoft Intune, see [Create an Autopilot deployment profile](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-deployment-profile) documentation describing the "Convert all targeted devices to Autopilot" setting. + +Also note that when using the [Windows Autopilot for existing devices](https://docs.microsoft.com/windows/deployment/windows-autopilot/existing-devices) scenario, it is not necessary to pre-register the devices with Windows Autopilot. Instead, a configuration file (AutopilotConfigurationFile.json) containing all the Windows Autopilot profile settings is used; the device can be registered with Windows Autopilot after the fact using the same "Convert all targeted devices to Autopilot" setting. + +## Manual registration + +To perform manual registration of a device, you must first capture its hardware ID (also known as a hardware hash). Once this process has completed, the resulting hardware ID can be uploaded to the Windows Autopilot service. Because this process requires booting the device into Windows 10 in order to obtain the hardware ID, this is intended primarily for testing and evaluation scenarios. + +## Device identification + +To define a device to the Windows Autopilot deployment service, a unique hardware ID for the device needs to be captured and uploaded to the service. While this step is ideally done by the hardware vendor (OEM, reseller, or distributor), automatically associating the device with an organization, it is also possible to do this through a harvesting process that collects the device from within a running Windows 10 version 1703 or later installation. + +The hardware ID, also commonly referred to as a hardware hash, contains several details about the device, including its manufacturer, model, device serial number, hard drive serial number, and many other attributes that can be used to uniquely identify that device. + +Note that the hardware hash also contains details about when it was generated, so it will change each time it is generated. When the Windows Autopilot deployment service attempts to match a device, it considers changes like that, as well as more substantial changes such as a new hard drive, and is still able to match successfully. But substantial changes to the hardware, such as a motherboard replacement, would not match, so a new hash would need to be generated and uploaded. + +### Collecting the hardware ID from existing devices using System Center Configuration Manager + +Starting with System Center Configuration Manager current branch version 1802, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [What’s new in version 1802](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details. The hash information can be extracted from Configuration Manager into a CSV file. + +### Collecting the hardware ID from existing devices using PowerShell + +The hardware ID, or hardware hash, for an existing device is available through Windows Management Instrumentation (WMI), as long as that device is running Windows 10 version 1703 or later. To help gather this information, as well as the serial number of the device (useful to see at a glance the machine to which it belongs), a PowerShell script called [Get-WindowsAutoPilotInfo.ps1 has been published to the PowerShell Gallery website](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo). + +To use this script, you can download it from the PowerShell Gallery and run it on each computer, or you can install it directly from the PowerShell Gallery. To install it directly and capture the hardware hash from the local computer, use the following commands from an elevated Windows PowerShell prompt: + +```powershell +md c:\\HWID +Set-Location c:\\HWID +Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted +Install-Script -Name Get-WindowsAutoPilotInfo +Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv +``` + +The commands can also be run remotely, as long as WMI permissions are in place and WMI is accessible through the Windows Firewall on that remote computer. See the [Get-WindowsAutoPilotInfo](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) script’s help (using “Get-Help Get-WindowsAutoPilotInfo.ps1”) for more information about running the script. + +>[!IMPORTANT] +>Do not connect devices to the Internet prior to capturing the hardware ID and creating an Autopilot device profile. This includes collecting the hardware ID, uploading the .CSV into MSfB or Intune, assigning the profile, and confirming the profile assignment. Connecting the device to the Internet before this process is complete will result in the device downloading a blank profile that is stored on the device until it is explicity removed. In Windows 10 version 1809, you can clear the cached profile by restarting OOBE. In previous versions, the only way to clear the stored profile is to re-install the OS, reimage the PC, or run **sysprep /generalize /oobe**.
+>After Intune reports the profile ready to go, only then should the device be connected to the Internet. + +>[!NOTE] +>If OOBE is restarted too many times it can enter a recovery mode and fail to run the Autopilot configuration. You can identify this scenario if OOBE displays multiple configuration options on the same page, including language, region, and keyboard layout. The normal OOBE displays each of these on a separate page. The following value key tracks the count of OOBE retries:
+>**HKCU\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UserOOBE**
+>To ensure OOBE has not been restarted too many times, you can change this value to 1. + +## Registering devices + + + + +Once the hardware IDs have been captured from existing devices, they can be uploaded through a variety of means. See the detailed documentation for each available mechanism. + +- [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot). This is the preferred mechanism for all customers. +- [Partner Center](https://msdn.microsoft.com/partner-center/autopilot). This is used by CSP partners to register devices on behalf of customers. +- [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa). This is typically used by small and medium businesses (SMBs) who manage their devices using Microsoft 365 Business. +- [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles). You might already be using MSfB to manage your apps and settings. + +A summary of each platform's capabilities is provided below. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Platform/Portal +Register devices? +Create/Assign profile +Acceptable DeviceID +
OEM Direct APIYES - 1000 at a time maxNOTuple or PKID
Partner CenterYES - 1000 at a time maxYESTuple or PKID or 4K HH
IntuneYES - 500 at a time max*YES*4K HH
Microsoft Store for BusinessYES - 1000 at a time maxYES4K HH
Microsoft Business 365YES - 1000 at a time maxYES4K HH
+ +>*Microsoft recommended platform to use + +## Summary + +When deploying new devices using Windows Autopilot, the following steps are required: + +1. [Register devices](#registering-devices). Ideally, this step is performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually. +2. [Configure device profiles](profiles.md), specifying how the device should be deployed and what user experience should be presented. +3. Boot the device. When the device is connected to a network with internet access, it will contact the Windows Autopilot deployment service to see if the device is registered, and if it is, it will download profile settings such as the [Enrollment Status page](enrollment-status.md), which are used to customize the end user experience. + +## Other configuration settings + +- [Bitlocker encryption settings](bitlocker.md): You can configure the BitLocker encryption settings to be applied before automatic encryption is started. + diff --git a/windows/docfx.json b/windows/docfx.json index 21cba6820f..1bac183185 100644 --- a/windows/docfx.json +++ b/windows/docfx.json @@ -9,7 +9,7 @@ ], "resource": [ { - "files": ["**/images/**"], + "files": ["**/images/**", "**/*.pdf"], "exclude": ["**/obj/**"] } ], diff --git a/windows/release-information/resolved-issues-windows-10-1903.yml b/windows/release-information/resolved-issues-windows-10-1903.yml index e0d9f8160e..0701d83bc6 100644 --- a/windows/release-information/resolved-issues-windows-10-1903.yml +++ b/windows/release-information/resolved-issues-windows-10-1903.yml @@ -32,6 +32,7 @@ sections: - type: markdown text: " + @@ -71,6 +72,7 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusDate resolved
Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters
Some devices with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards may experience compatibility issues.

See details >		N/A

Resolved
KB4522355		October 24, 2019
10:00 AM PT
dGPU occasionally disappear from device manager on Surface Book 2
Some apps or games may close or fail to open on Surface Book 2 devices with Nvidia dGPU.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Resolved
October 18, 2019
04:33 PM PT
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		OS Build 18362.357

September 23, 2019
KB4522016		Resolved
KB4517389		October 08, 2019
10:00 AM PT
Audio in games is quiet or different than expected
Microsoft has received reports that audio in certain games is quieter or different than expected.

See details >		OS Build 18362.356

September 10, 2019
KB4515384		Resolved
KB4517211		September 26, 2019
02:00 PM PT
+ diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml index f1e8b5126b..81d9631870 100644 --- a/windows/release-information/status-windows-10-1903.yml +++ b/windows/release-information/status-windows-10-1903.yml @@ -64,10 +64,10 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

DetailsOriginating updateStatusHistory
Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters
Microsoft and NEC have found incompatibility issues with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards when running Windows 10, version 1903 on specific models of NEC devices. If these devices are updated to Windows 10, version 1903, they will no longer be able to use any Wi-Fi connections. The Wi-Fi driver may have a yellow exclamation point in device manager. The task tray icon for networking may show the icon for no internet and Network & Internet settings may not show any Wi-Fi networks.

To safeguard your update experience, we have applied a compatibility hold on the affected devices from being offered Windows 10, version 1903.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4522355. The safeguard hold is estimated to be removed in mid-November.

Back to top		N/A

Resolved
KB4522355		Resolved:
October 24, 2019
10:00 AM PT

Opened:
September 13, 2019
05:25 PM PT
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517389.

Back to top		OS Build 18362.357

September 23, 2019
KB4522016		Resolved
KB4517389		Resolved:
October 08, 2019
10:00 AM PT

Opened:
September 30, 2019
06:26 PM PT
Audio in games is quiet or different than expected
Microsoft has received reports that audio in certain games is quieter or different than expected. At the request of some of our audio partners, we implemented a compatibility change that enabled certain games to query support and render multi-channel audio. Due to customer feedback, we are reverting this change as some games and some devices are not rendering multi-channel audio as expected. This may result in games sounding different than customers are used to and may have missing channels.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4517211.

Back to top		OS Build 18362.356

September 10, 2019
KB4515384		Resolved
KB4517211		Resolved:
September 26, 2019
02:00 PM PT

Opened:
September 13, 2019
05:25 PM PT
IME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard.


Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016

Resolution: Due to security related changes in KB4515384, this issue may occur when Touch Keyboard and Handwriting Panel Service is not configured to its default startup type of Manual. To resolve the issue, perform the following steps:
  1. Select the Start button and type Services.
  2. Locate Touch Keyboard and Handwriting Panel Service and double click on it or long press and select Properties.
  3. Locate Startup type: and change it to Manual
  4. Select Ok
  5. The TabletInputService service is now in the default configuration and IME should work as expected.

Back to top		OS Build 18362.356

September 10, 2019
KB4515384		Resolved
Resolved:
September 19, 2019
04:08 PM PT

Opened:
September 13, 2019
05:25 PM PT
+ - @@ -89,9 +89,9 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusLast updated
Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters
Some devices with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards may experience compatibility issues.

See details >		N/A

Resolved
KB4522355		October 24, 2019
10:00 AM PT
dGPU occasionally disappear from device manager on Surface Book 2
Some apps or games may close or fail to open on Surface Book 2 devices with Nvidia dGPU.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Resolved
October 18, 2019
04:33 PM PT
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		OS Build 18362.357

September 23, 2019
KB4522016		Resolved
KB4517389		October 08, 2019
10:00 AM PT
Audio in games is quiet or different than expected
Microsoft has received reports that audio in certain games is quieter or different than expected.

See details >		OS Build 18362.356

September 10, 2019
KB4515384		Resolved
KB4517211		September 26, 2019
02:00 PM PT
Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters
Some devices with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards may experience compatibility issues.

See details >		N/A

Mitigated
September 13, 2019
05:25 PM PT
Updates may fail to install and you may receive Error 0x80073701
Installation of updates may fail and you may receive error code 0x80073701.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Investigating
August 16, 2019
04:28 PM PT
Intermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated External
August 01, 2019
08:44 PM PT
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated
August 01, 2019
06:27 PM PT
+ -
DetailsOriginating updateStatusHistory
Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters
Microsoft and NEC have found incompatibility issues with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards when running Windows 10, version 1903 on specific models of NEC devices. If these devices are updated to Windows 10, version 1903, they will no longer be able to use any Wi-Fi connections. The Wi-Fi driver may have a yellow exclamation point in device manager. The task tray icon for networking may show the icon for no internet and Network & Internet settings may not show any Wi-Fi networks.

To safeguard your update experience, we have applied a compatibility hold on the affected devices from being offered Windows 10, version 1903.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4522355. The safeguard hold is estimated to be removed in mid-November.

Back to top		N/A

Resolved
KB4522355		Resolved:
October 24, 2019
10:00 AM PT

Opened:
September 13, 2019
05:25 PM PT
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517389.

Back to top		OS Build 18362.357

September 23, 2019
KB4522016		Resolved
KB4517389		Resolved:
October 08, 2019
10:00 AM PT

Opened:
September 30, 2019
06:26 PM PT
Audio in games is quiet or different than expected
Microsoft has received reports that audio in certain games is quieter or different than expected. At the request of some of our audio partners, we implemented a compatibility change that enabled certain games to query support and render multi-channel audio. Due to customer feedback, we are reverting this change as some games and some devices are not rendering multi-channel audio as expected. This may result in games sounding different than customers are used to and may have missing channels.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4517211.

Back to top		OS Build 18362.356

September 10, 2019
KB4515384		Resolved
KB4517211		Resolved:
September 26, 2019
02:00 PM PT

Opened:
September 13, 2019
05:25 PM PT
Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters
Microsoft and NEC have found incompatibility issues with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards when running Windows 10, version 1903 on specific models of NEC devices. If these devices are updated to Windows 10, version 1903, they will no longer be able to use any Wi-Fi connections. The Wi-Fi driver may have a yellow exclamation point in device manager. The task tray icon for networking may show the icon for no internet and Network & Internet settings may not show any Wi-Fi networks.

To safeguard your update experience, we have applied a compatibility hold on the affected devices from being offered Windows 10, version 1903.

Affected platforms:
  • Client: Windows 10, version 1903
Workaround: If you are using an affected device and you have already installed Windows 10, version 1903, you can mitigate the issue disabling then re-enabling the Wi-Fi adapter in Device Manager. You should now be able to use Wi-Fi until your next reboot.

Next steps: Microsoft and NEC are working on a resolution and will provide an update in an upcoming release.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Back to top		N/A

Mitigated
Last updated:
September 13, 2019
05:25 PM PT

Opened:
September 13, 2019
05:25 PM PT
" diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml index a41c2b4de0..a158f15e9b 100644 --- a/windows/release-information/windows-message-center.yml +++ b/windows/release-information/windows-message-center.yml @@ -50,6 +50,7 @@ sections: text: " + diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md index adfe6b2035..1723f5ee27 100644 --- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md @@ -19,18 +19,11 @@ ms.topic: article The Microsoft Virus Initiative (MVI) helps organizations to get their products working and integrated with Windows. -MVI members will receive access to Windows APIs (such as those used by Windows Defender Antivirus), and other technologies including IOAV, AMSI and Cloud Files, malware telemetry and samples, and invitations to security related events and conferences. +MVI members receive access to Windows APIs and other technologies including IOAV, AMSI and Cloud files. Members also get malware telemetry and samples and invitations to security related events and conferences. -MVI requires members to develop and own antimalware technology and to be present in the antimalware industry community. +## Become a member -## Join MVI - -A request for membership is made by an individual as a representative of an organization that develops and produces antimalware or antivirus technology. - - -### Initial selection criteria - -Your organization must meet the following eligibility requirements to qualify for the MVI program: +A request for membership is made by an individual as a representative of an organization that develops and produces antimalware or antivirus technology. Your organization must meet the following eligibility requirements to qualify for the MVI program: 1. Offer an antimalware or antivirus product that is one of the following: @@ -39,10 +32,9 @@ Your organization must meet the following eligibility requirements to qualify fo 2. Have your own malware research team unless you build a product based on an SDK. -3. Be active and have a positive reputation in the antimalware industry. Your organization is: +3. Be active and have a positive reputation in the antimalware industry. - * Certified through independent testing by an industry standard organization such as [ICSA Labs](https://www.icsalabs.com/), [West Coast Labs](http://www.westcoastlabs.com/), [PCSL IT Consulting Institute](https://www.pitci.net/), or [SKD Labs](http://www.skdlabs.com/html/english/). - * Be active in the antimalware industry. For example, participate in industry conferences, be reviewed in an industry standard report such as AV Comparatives, OPSWAT or Gartner. + * Activity can include participation in industry conferences or being reviewed in an industry standard report such as AV Comparatives, OPSWAT or Gartner. 4. Be willing to sign a non-disclosure agreement (NDA) with Microsoft. @@ -52,6 +44,19 @@ Your organization must meet the following eligibility requirements to qualify fo 7. Submit your app to Microsoft for periodic performance testing. -### Apply now +8. Certified through independent testing by at least one industry standard organization. + +Test Provider | Lab Test Type | Minimum Level / Score +------------- |---------------|---------------------- +AV-Comparatives | Real-World Protection Test
https://www.av-comparatives.org/testmethod/real-world-protection-tests/ |“Approved” rating from AV Comparatives +AV-Test | Must pass tests for Windows. Certifications for Mac and Linux are not accepted
https://www.av-test.org/en/about-the-institute/certification/ | Achieve "AV-TEST Certified" (for home users) or "AV-TEST Approved” (for corporate users) +ICSA Labs | Endpoint Anti-Malware Detection
https://www.icsalabs.com/technology-program/anti-virus/criteria |PASS/Certified +NSS Labs | Advanced Endpoint Protection AEP 3.0, which covers automatic threat prevention and threat event reporting capabilities
https://www.nsslabs.com/tested-technologies/advanced-endpoint-protection/ |“Neutral” rating from NSS +SKD Labs | Certification Requirements Product: Anti-virus or Antimalware
http://www.skdlabs.com/html/english/
http://www.skdlabs.com/cert/ |SKD Labs Star Check Certification Requirements Pass >= 98.5 % with On Demand, On Access and Total Detection tests +SE Labs | Protection A rating or Small Business EP A rating or Enterprise EP Protection A rating
https://selabs.uk/en/reports/consumers |Home or Enterprise “A” rating +VB 100 | VB100 Certification Test V1.1
https://www.virusbulletin.com/testing/vb100/vb100-methodology/vb100-methodology-ver1-1/ | VB100 Certification +West Coast Labs | Checkmark Certified
http://www.checkmarkcertified.com/sme/ | “A” Rating on Product Security Performance + +## Apply now If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry). diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md index 010fb7a43b..7558960aa6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md @@ -22,8 +22,6 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](prerelease.md)] - The Microsoft Defender ATP API Explorer is a tool that helps you explore various Microsoft Defender ATP APIs interactively. The API Explorer makes it easy to construct and perform API queries, test and send requests for any available Microsoft Defender ATP API endpoint. You can also use the API Explorer to perform actions or find data that might not yet be available through the user interface. diff --git a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md b/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md index 97adf97d65..20a35409f5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md @@ -22,7 +22,6 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](prerelease.md)] Connected applications integrates with the Microsoft Defender ATP platform using APIs. diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md index 692f8cc37b..5be2ae335a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md @@ -42,10 +42,6 @@ Turn on the preview experience setting to be among the first to try upcoming fea ## Preview features The following features are included in the preview release: -- [Connected Azure AD applications](connected-applications.md)
The Connected applications page provides information about the Azure AD applications connected to Microsoft Defender ATP in your organization. - -- [API Explorer](api-explorer.md)
The API explorer makes it easy to construct and perform API queries, test and send requests for any available Microsoft Defender ATP API endpoint. - - [Microsoft Threat Experts - Experts on Demand](microsoft-threat-experts.md)
You now have the option to consult with Microsoft Threat Experts from several places in the portal to help you in the context of your investigation. - [Indicators for IP addresses, URLs/Domains](manage-indicators.md)
You can now allow or block URLs/domains using your own threat intelligence. diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md index be3d95c1f3..f93e5d7d22 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md @@ -28,6 +28,13 @@ The following features are generally available (GA) in the latest release of Mic For more information preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection). +## October 2019 + +- [Connected Azure AD applications](connected-applications.md)
The Connected applications page provides information about the Azure AD applications connected to Microsoft Defender ATP in your organization. + +- [API Explorer](api-explorer.md)
The API explorer makes it easy to construct and perform API queries, test and send requests for any available Microsoft Defender ATP API endpoint. + + ## September 2019 - [Tamper Protection settings using Intune](../windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md#turn-tamper-protection-on-or-off-for-your-organization-using-intune)
You can now turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management portal (Intune). diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md index c0e0200d21..8999528d45 100644 --- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md @@ -1,13 +1,19 @@ --- title: Allow COM object registration in a Windows Defender Application Control policy (Windows 10) description: You can allow COM object registration in a Windows Defender Application Control policy. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: mdsakibMSFT -ms.author: mdsakib +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm +ms.author: dansimp +manager: dansimp ms.date: 05/21/2019 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index aed91aa7a0..a7ebe4f68b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -1,16 +1,19 @@ --- title: Audit Windows Defender Application Control (WDAC) policies (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.reviewer: -manager: dansimp -ms.author: dansimp ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm +ms.author: dansimp +manager: dansimp ms.date: 05/03/2018 --- @@ -96,5 +99,5 @@ Use the following procedure after you have been running a computer with a WDAC p You can now use this file to update the existing WDAC policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing WDAC policy, see the next section, [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md). -> [!NOTE] -> You may have noticed that you did not generate a binary version of this policy as you did in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md). This is because WDAC policies created from an audit log are not intended to run as stand-alone policies but rather to update existing WDAC policies. +> [!Note] +> You may have noticed that you did not generate a binary version of this policy as you did in [Create a Windows Defender Application Control policy from a reference computer](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy). This is because WDAC policies created from an audit log are not intended to run as stand-alone policies but rather to update existing WDAC policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md index 92c3c3aa47..52d5d95647 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md @@ -1,6 +1,7 @@ --- title: Create a code signing cert for Windows Defender Application Control (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.reviewer: manager: dansimp @@ -10,7 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm +ms.author: dansimp +manager: dansimp ms.date: 02/28/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index 67c1e0ccef..80502547f2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -1,6 +1,7 @@ --- title: Create an initial default policy (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.reviewer: manager: dansimp @@ -10,7 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm +ms.author: dansimp +manager: dansimp ms.date: 05/03/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md b/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md index 44a9846b76..f5bb41fc40 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md @@ -1,13 +1,19 @@ --- title: Windows Defender Application Control path-based rules (Windows 10) description: Beginning with Windows 10 version 1903, Windows Defender Application Control (WDAC) policies can contain path-based rules. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: mdsakibMSFT -ms.author: mdsakib +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm +ms.author: dansimp +manager: dansimp ms.date: 05/17/2019 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md b/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md index d7f2a132fb..09c1315422 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md @@ -1,19 +1,19 @@ --- title: Create your Windows Defender Application Control (WDAC) planning document (Windows 10) description: This planning topic for the IT professional summarizes the information you need to research and include in your WDAC planning document. -ms.assetid: 41e49644-baf4-4514-b089-88adae2d624e -ms.reviewer: -ms.author: dansimp +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp audience: ITPro ms.collection: M365-security-compliance -ms.topic: conceptual +author: jsuther1974 +ms.reviewer: brbrahm +ms.author: dansimp +manager: dansimp ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md index 13fa578687..a0b5479b91 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md @@ -1,16 +1,19 @@ --- title: Deploy catalog files to support Windows Defender Application Control (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.reviewer: -manager: dansimp -ms.author: dansimp ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm +ms.author: dansimp +manager: dansimp ms.date: 02/28/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index 97eea2439c..ee7ead5e95 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -1,13 +1,19 @@ --- title: Deploy multiple Windows Defender Application Control Policies (Windows 10) description: Windows Defender Application Control supports multiple code integrity policies for one device. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: mdsakibMSFT -ms.author: mdsakib +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm +ms.author: dansimp +manager: dansimp ms.date: 05/17/2019 --- @@ -44,16 +50,16 @@ Note that multiple policies will not work on pre-1903 systems. ### Allow Multiple Policies -In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in New-CIPolicy results in 1) random GUIDs being generated for the policy ID and 2) the policy type being specified as base. +In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) results in 1) random GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below is an example of creating a new policy in the multiple policy format. ```powershell -New-CIPolicy -MultiplePolicyFormat -foo –bar +New-CIPolicy -MultiplePolicyFormat -ScanPath '.\temp\' -UserPEs -FilePath ".\policy.xml" -Level Publisher -Fallback Hash ``` Optionally, you can choose to make the new base policy supplementable (allow supplemental policies). ```powershell -Set-RuleOption -FilePath Enabled:Allow Supplemental Policies +Set-RuleOption -FilePath -Option 17 ``` For signed base policies that are being made supplementable, you need to ensure that supplemental signers are defined. Use the "Supplemental" switch in Add-SignerRule to provide supplemental signers. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md index e4c776c47e..22ea7b222c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md @@ -1,16 +1,19 @@ --- title: Deploy Windows Defender Application Control (WDAC) policies by using Group Policy (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.reviewer: -manager: dansimp -ms.author: dansimp ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm +ms.author: dansimp +manager: dansimp ms.date: 02/28/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 61a3e06b58..03921c380e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -1,16 +1,19 @@ --- title: Deploy Windows Defender Application Control (WDAC) policies by using Microsoft Intune (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.reviewer: -manager: dansimp -ms.author: dansimp ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm +ms.author: dansimp +manager: dansimp ms.date: 05/17/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md index 79cdfd3512..914ea84187 100644 --- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md @@ -1,16 +1,19 @@ --- title: Disable Windows Defender Application Control policies (Windows 10) description: This topic covers how to disable unsigned or signed WDAC policies. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.reviewer: -manager: dansimp -ms.author: dansimp ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm +ms.author: dansimp +manager: dansimp ms.date: 05/03/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md b/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md index f29188cd79..692278772f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md +++ b/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md @@ -1,18 +1,19 @@ --- title: Document your application control management processes (Windows 10) description: This planning topic describes the WDAC policy maintenance information to record for your design document. -ms.assetid: 6397f789-0e36-4933-9f86-f3f6489cf1fb -ms.reviewer: -ms.author: dansimp +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp audience: ITPro ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm +ms.author: dansimp +manager: dansimp ms.topic: conceptual ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md index 13a60fe360..8e3742d802 100644 --- a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md @@ -1,16 +1,19 @@ --- title: Enforce Windows Defender Application Control (WDAC) policies (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.reviewer: -manager: dansimp -ms.author: dansimp ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm +ms.author: dansimp +manager: dansimp ms.date: 05/03/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md index fbad450704..5ec4473345 100644 --- a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md @@ -1,16 +1,19 @@ --- title: Manage packaged apps with Windows Defender Application Control (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.reviewer: -manager: dansimp -ms.author: dansimp ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm +ms.author: dansimp +manager: dansimp ms.date: 05/14/2019 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md index 4d04e9f6fa..f29ba398bf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md @@ -1,16 +1,19 @@ --- title: Merge Windows Defender Application Control (WDAC) policies (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.reviewer: -manager: dansimp -ms.author: dansimp ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm +ms.author: dansimp +manager: dansimp ms.date: 05/03/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 387ba074e2..dba43ea768 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -1,16 +1,20 @@ --- title: Microsoft recommended block rules (Windows 10) description: To help you plan and begin the initial test stages of a deployment of Microsoft Windows Defender Application Control, this article outlines how to gather information, create a plan, and begin to create and test initial code integrity policies. -keywords: virtualization, security, malware +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security ms.localizationpriority: medium -author: dansimp audience: ITPro -ms.date: 04/09/2019 -ms.reviewer: -manager: dansimp +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm ms.author: dansimp +manager: dansimp +ms.date: 04/09/2019 --- # Microsoft recommended block rules diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md index be74ddf1f0..385daa5129 100644 --- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md @@ -1,16 +1,20 @@ --- title: Plan for Windows Defender Application Control policy management (Windows 10) description: Plan for Windows Defender Application Control policy management. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.date: 02/21/2018 -ms.reviewer: -manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm ms.author: dansimp +manager: dansimp +ms.date: 02/21/2018 --- # Plan for Windows Defender Application Control policy management diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md index fa2f7af6ec..0e989f1c6e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md +++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md @@ -1,16 +1,20 @@ --- title: Querying Application Control events centrally using Advanced hunting (Windows 10) description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 -ms.mktglfcycl: manage +ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm ms.author: dansimp -ms.date: 12/06/2018 -ms.reviewer: manager: dansimp +ms.date: 12/06/2018 --- # Querying Application Control events centrally using Advanced hunting diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 287c247293..153465c8df 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -1,16 +1,20 @@ --- title: Select the types of rules to create (Windows 10) description: Select the types of rules to create. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.date: 04/20/2018 -ms.reviewer: -manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm ms.author: dansimp +manager: dansimp +ms.date: 04/20/2018 --- # Deploy Windows Defender Application Control policy rules and file rules diff --git a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md b/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md index 7f2c0b16d3..8c2d524fbb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md +++ b/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md @@ -1,16 +1,20 @@ --- title: Signing Windows Defender Application Control policies with SignTool.exe (Windows 10) description: SSigned WDAC policies give organizations the highest level of malware protection available in Windows 10. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.date: 02/21/2018 -ms.reviewer: -manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm ms.author: dansimp +manager: dansimp +ms.date: 02/21/2018 --- # Signing Windows Defender Application Control policies with SignTool.exe diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md index aacc7afb09..8a86d231a0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md @@ -1,18 +1,20 @@ --- title: types of devices (Windows 10) description: Typically, deployment of Windows Defender Application Control happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. -keywords: virtualization, security, malware +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp audience: ITPro ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 03/01/2018 -ms.reviewer: +author: jsuther1974 +ms.reviewer: brbrahm ms.author: dansimp +manager: dansimp +ms.date: 03/01/2018 --- # Windows Defender Application Control deployment in different scenarios: types of devices diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md index 5f6b6c7849..d73468d703 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md @@ -1,6 +1,7 @@ --- title: Understand Windows Defender Application Control policy design decisions (Windows 10) description: Understand Windows Defender Application Control policy design decisions. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.reviewer: manager: dansimp @@ -10,7 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm +ms.author: dansimp +manager: dansimp ms.date: 02/08/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md index 597df3c8b3..c5a77d3560 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md @@ -1,6 +1,7 @@ --- title: Use code signing to simplify application control for classic Windows applications (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.reviewer: manager: dansimp @@ -10,7 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm +ms.author: dansimp +manager: dansimp ms.date: 05/03/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md index 567c3db270..f6783c1ecb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md @@ -1,6 +1,7 @@ --- title: Use the Device Guard Signing Portal in the Microsoft Store for Business (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.reviewer: manager: dansimp @@ -10,7 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm +ms.author: dansimp +manager: dansimp ms.date: 02/19/2019 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index 7cca116982..ee98e15eea 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -1,6 +1,7 @@ --- title: Use signed policies to protect Windows Defender Application Control against tampering (Windows 10) description: Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.reviewer: manager: dansimp @@ -10,7 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm +ms.author: dansimp +manager: dansimp ms.date: 05/03/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md index 8919d6d670..142d3154f9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md @@ -1,6 +1,7 @@ --- title: Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.reviewer: manager: dansimp @@ -10,7 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm +ms.author: dansimp +manager: dansimp ms.date: 05/03/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md index 8d7885f549..384f767155 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md @@ -1,16 +1,19 @@ --- title: Windows Defender Application Control and .NET Hardening (Windows 10) description: Dynamic Code Security is an application control feature that can verify code loaded by .NET at runtime. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.reviewer: -manager: dansimp -ms.author: dansimp ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm +ms.author: dansimp +manager: dansimp ms.date: 08/20/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index 91eec3f5c5..df410081c3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -1,14 +1,20 @@ --- title: Deploy Windows Defender Application Control with Intelligent Security Graph (ISG) (Windows 10) description: Automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.date: 06/14/2018 -ms.reviewer: -manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm ms.author: dansimp +manager: dansimp +ms.date: 06/14/2018 --- # Use Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md index 1c2b670b16..3011af49ff 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md @@ -1,15 +1,20 @@ --- title: Deploy Managed Installer for Windows Defender Device Guard (Windows 10) description: Explains how you can use a managed installer to automatically authorize applications deployed and installed by a designated software distribution solution, such as System Center Configuration Manager. -keywords: virtualization, security, malware +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.date: 06/13/2018 -ms.reviewer: -manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm ms.author: dansimp +manager: dansimp +ms.date: 06/13/2018 --- # Deploy Managed Installer for Windows Defender Application Control diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md index 38cfd605db..629c35deb5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md @@ -1,15 +1,20 @@ --- title: Planning and getting started on the Windows Defender Application Control deployment process (Windows 10) description: To help you plan and begin the initial test stages of a deployment of Microsoft Windows Defender Application Control, this article outlines how to gather information, create a plan, and begin to create and test initial code integrity policies. -keywords: virtualization, security, malware +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.date: 05/16/2018 -ms.reviewer: -manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm ms.author: dansimp +manager: dansimp +ms.date: 05/16/2018 --- # Planning and getting started on the Windows Defender Application Control deployment process diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md index e9719fd4e4..77227ccae5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md @@ -1,18 +1,21 @@ --- title: Windows Defender Application Control design guide (Windows 10) description: Microsoft Windows Defender Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security. -keywords: virtualization, security, malware +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp audience: ITPro ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm +ms.author: dansimp +manager: dansimp ms.topic: conceptual ms.date: 02/20/2018 -ms.reviewer: -ms.author: dansimp --- # Windows Defender Application Control design guide @@ -34,4 +37,3 @@ This guide covers design and planning for Windows Defender Application Control ( | [Create your WDAC planning document](create-your-windows-defender-application-control-planning-document.md) | This planning topic summarizes the information you need to research and include in your planning document. | After planning is complete, the next step is to deploy WDAC. The [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies. - diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index 3605322e2c..7fcc89b839 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -1,16 +1,19 @@ --- title: Windows Defender Application Control (WDAC) (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.reviewer: -manager: dansimp -ms.author: dansimp ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm +ms.author: dansimp +manager: dansimp ms.date: 01/08/2019 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-device-guard-and-applocker.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-device-guard-and-applocker.md index bc80b871c8..dfb54e5cb5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-device-guard-and-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-device-guard-and-applocker.md @@ -1,15 +1,20 @@ --- title: Windows Defender Device Guard and AppLocker (Windows 10) description: Explains how -keywords: virtualization, security, malware +keywords: virtualization, whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.date: 05/03/2018 -ms.reviewer: -manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: brbrahm ms.author: dansimp +manager: dansimp +ms.date: 05/03/2018 --- # Windows Defender Device Guard with AppLocker
MessageDate
October 2019 Windows 10, version 1903 \"D\" optional release is available.
The October 2019 optional monthly “D” release for Windows 10, version 1903 is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
October 24, 2019
08:00 AM PT
October 2019 Windows \"C\" optional release is available.
The October 2019 optional monthly “C” release for all supported versions of Windows is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
October 15, 2019
09:59 AM PT
Windows 10, version 1703 has reached end of service
Consumer and commercial editions of Windows 10, version 1703 have reached end of service. As devices running these editions are no longer receiving monthly security and quality updates containing protections from the latest security threats, we recommend that you update these devices to the latest version of Windows 10 immediately. For more information on end of service dates currently supported versions of Windows 10, see the Windows lifecycle fact sheet.
October 09, 2019
12:00 PM PT
Take Action: October 2019 security update available for all supported versions of Windows
The October 2019 security update release, referred to as our “B” release, is now available for Windows 10, version 1903 and all supported versions of Windows. We recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
 
October 08, 2019
08:00 AM PT