deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into pm-20250402-taskbar

Browse Source
This commit is contained in:
Paolo Matarazzo 2025-04-09 17:52:12 -04:00
commit 7153efc204
55 changed files with 1268 additions and 676 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
education/windows/edu-take-a-test-kiosk-mode.md
View File

@ -1,7 +1,7 @@
---
title: Configure Take a Test in kiosk mode
description: Learn how to configure Windows to execute the Take a Test app in kiosk mode, using Intune and provisioning packages.
ms.date: 09/06/2024
title: Configure Take a Test in Kiosk Mode
description: Learn how to configure Windows to execute the Take a Test app in kiosk mode using different methods.
ms.date: 04/07/2025
ms.topic: how-to
---
@ -11,10 +11,11 @@ Executing Take a Test in kiosk mode is the recommended option for high stakes as
The configuration of Take a Test in kiosk mode can be done using:
- Microsoft Intune/MDM
- a provisioning package (PPKG)
- Microsoft Intune
- Configuration service provider (CSP)
- A provisioning package (PPKG)
- PowerShell
- the Settings app
- The Settings app
When using the Settings app, you can configure Take a Test in kiosk mode using a local account only. This option is recommended for devices that aren't managed.
The other options allow you to configure Take a Test in kiosk mode using a local account, an account defined in the directory, or a guest account.
@ -26,19 +27,7 @@ The other options allow you to configure Take a Test in kiosk mode using a local
Follow the instructions below to configure your devices, selecting the option that best suits your needs.
# [:::image type="icon" source="images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
You can use Intune for Education or a custom profile in Microsoft Intune:
- Intune for Education provides a simpler experience
- A custom profile provides more flexibility and controls over the configuration
> [!IMPORTANT]
> Currently, the policy created in Intune for Education is applicable to Windows 10 and Windows 11 only. **It will not apply to Windows 11 SE devices.**
>
> If you want to configure Take a Test for Windows 11 SE devices, you must use a custom policy.
### Configure Take a Test from Intune for Education
# [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
To configure devices using Intune for Education, follow these steps:
@ -51,23 +40,19 @@ To configure devices using Intune for Education, follow these steps:
:::image type="content" source="./images/takeatest/intune-education-take-a-test-profile.png" alt-text="Intune for Education - creation of a Take a Test profile." lightbox="./images/takeatest/intune-education-take-a-test-profile.png" border="true":::
### Configure Take a Test with a custom policy
# [:::image type="icon" source="images/icons/csp.svg"::: **CSP**](#tab/csp)
[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)]
To configure devices using configuration service providers, use the following settings:
| Setting |
|--------|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn`** </li><li> Data type: **Integer** </li><li>Value: **1**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/WindowsLogon/HideFastUserSwitching`** </li><li> Data type: **Integer**</li><li>Value: **1**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/SharedPC/AccountModel`**</li><li>Data type: **Integer** </li><li> Value: **1**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/SharedPC/EnableAccountManager`**</li><li>Data type: **Boolean** </li><li> Value: **True**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/SharedPC/KioskModeAUMID`**</li><li>Data type: **String** </li><li> Value: **Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/SharedPC/KioskModeUserTileDisplayText`** </li><li>Data type: **String** </li><li> Value: **Take a Test** (or a string of your choice to display in the sing-in screen)</li>|
| <li> OMA-URI: **`./Vendor/MSFT/SecureAssessment/LaunchURI`** </li><li>Data type: **String** </li><li> Value: **\<provide testing URL>**</li>|
:::image type="content" source="./images/takeatest/intune-take-a-test-custom-profile.png" alt-text="Intune portal - creation of a custom policy to configure Take a Test." lightbox="./images/takeatest/intune-take-a-test-custom-profile.png" border="true":::
[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)]
| - **OMA-URI:** `./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/`[InteractiveLogon_DoNotDisplayLastSignedIn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#interactivelogon_donotdisplaylastsignedin) <br>- **Data type:** Integer <br>- **Value:** `1`|
| - **OMA-URI:** `./Vendor/MSFT/Policy/Config/WindowsLogon/`[HideFastUserSwitching](/windows/client-management/mdm/policy-csp-windowslogon#hidefastuserswitching) <br>- **Data type:** Integer<br>- **Value:** `1`|
| - **OMA-URI:** `./Vendor/MSFT/SharedPC/`[AccountModel](/windows/client-management/mdm/sharedpc-csp#accountmodel)<br>- **Data type:** Integer <br>- **Value:** `1`|
| - **OMA-URI:** `./Vendor/MSFT/SharedPC/`[EnableAccountManager](/windows/client-management/mdm/sharedpc-csp#enableaccountmanager)<br>- **Data type:** Boolean <br>- **Value:** `True`|
| - **OMA-URI:** `./Vendor/MSFT/SharedPC/`[KioskModeAUMID](/windows/client-management/mdm/sharedpc-csp#kioskmodeaumid)<br>- **Data type:** String <br>- **Value:** `Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App`|
| - **OMA-URI:** `./Vendor/MSFT/SharedPC/`[KioskModeUserTileDisplayText](/windows/client-management/mdm/sharedpc-csp#KioskModeUserTileDisplayText) <br>- **Data type:** String <br>- **Value:** **Take a Test** (or a string of your choice to display in the sing-in screen)|
| - **OMA-URI:** `./Vendor/MSFT/SecureAssessment/`[LaunchURI](/windows/client-management/mdm/sharedpc-csp#LaunchURI) <br>- **Data type:** String <br>- **Value:** \<testing URL>|
# [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
@ -88,13 +73,13 @@ Create a provisioning package using the Set up School PCs app, configuring the s
| Setting |
|--------|
| <li> Path: **`Policies/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn`** </li><li>Value: **Enabled**</li>|
| <li> Path: **`Policies/WindowsLogon/HideFastUserSwitching`** </li><li>Value: **True**</li>|
| <li> Path: **`SharedPC/AccountManagement/AccountModel`** </li><li>Value: **Domain-joined only**</li>|
| <li> Path: **`SharedPC/AccountManagement/EnableAccountManager`** </li><li>Value: **True**</li>|
| <li> Path: **`SharedPC/AccountManagement/KioskModeAUMID`** </li><li>Value: **Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App**</li>|
| <li> Path: **`SharedPC/AccountManagement/KioskModeUserTileDisplayText`** </li><li>Value: **Take a Test** (or a string of your choice to display in the sing-in screen)</li>|
| <li> Path: **`TakeATest/LaunchURI/`** </li><li>Value: **\<provide testing URL>**</li>|
| - Path: `Policies/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn` <br>- **Value:** `Enabled`|
| - Path: `Policies/WindowsLogon/HideFastUserSwitching` <br>- **Value:** True|
| - Path: `SharedPC/AccountManagement/AccountModel` <br>- **Value:** Domain-joined only|
| - Path: `SharedPC/AccountManagement/EnableAccountManager` <br>- **Value:** True|
| - Path: `SharedPC/AccountManagement/KioskModeAUMID` <br>- **Value:** **Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App**|
| - Path: `SharedPC/AccountManagement/KioskModeUserTileDisplayText` <br>- **Value:** Take a Test (or a string of your choice to display in the sing-in screen)|
| - Path: `TakeATest/LaunchURI/` <br>- **Value:** \<testing URL>|
:::image type="content" source="./images/takeatest/wcd-take-a-test.png" alt-text="Windows Configuration Designer - configuration of policies to enable Take a Test to run in kiosk mode" lightbox="./images/takeatest/wcd-take-a-test.png" border="true":::

10
education/windows/images/icons/csp.svg Normal file
View File

@ -0,0 +1,10 @@
<svg width="18" height="18" viewBox="0 0 18 18" fill="none" xmlns="http://www.w3.org/2000/svg">
<g clip-path="url(#clip0_461_479)">
<path d="M9.01098 0.225006C9.67158 0.23262 10.3296 0.30894 10.9743 0.452742C11.2558 0.515517 11.4663 0.750165 11.4982 1.03677L11.6514 2.41094C11.7208 3.04188 12.2535 3.51976 12.8885 3.52043C13.0593 3.5207 13.2281 3.48515 13.3859 3.41535L14.6464 2.86161C14.9086 2.74644 15.215 2.80923 15.4106 3.01826C16.3216 3.99118 17 5.15804 17.3949 6.43103C17.4801 6.70553 17.3821 7.00383 17.1508 7.17436L16.0334 7.99795C15.7146 8.23213 15.5264 8.60401 15.5264 8.99956C15.5264 9.39502 15.7146 9.7669 16.0341 10.0016L17.1524 10.8255C17.3838 10.9959 17.4819 11.2943 17.3967 11.5689C17.002 12.8417 16.3239 14.0084 15.4135 14.9815C15.218 15.1905 14.9119 15.2535 14.6498 15.1385L13.3841 14.5841C13.0219 14.4256 12.6061 14.4488 12.2639 14.6466C11.9217 14.8443 11.694 15.1931 11.6505 15.5859L11.4983 16.96C11.4669 17.2433 11.261 17.4764 10.9836 17.5424C9.68004 17.8525 8.32185 17.8525 7.01823 17.5424C6.74092 17.4764 6.53495 17.2433 6.50356 16.96L6.35162 15.588C6.30699 15.1959 6.07891 14.8482 5.73698 14.6511C5.39506 14.454 4.97988 14.4309 4.61898 14.5885L3.35301 15.143C3.0908 15.258 2.78463 15.195 2.5891 14.9858C1.67816 14.0117 1.00007 12.8435 0.605881 11.5693C0.520975 11.2949 0.619075 10.9967 0.850366 10.8264L1.96936 10.002C2.28809 9.7678 2.47632 9.39592 2.47632 9.00046C2.47632 8.60491 2.28809 8.23303 1.96894 7.99858L0.850645 7.17557C0.619021 7.00511 0.520831 6.70661 0.606034 6.43193C1.00091 5.15894 1.67935 3.99208 2.59032 3.01916C2.78603 2.81013 3.09235 2.74734 3.35452 2.86251L4.61486 3.41615C4.97751 3.57531 5.39442 3.55127 5.73819 3.35043C6.08048 3.15189 6.30836 2.8028 6.35235 2.40988L6.50542 1.03677C6.53739 0.750021 6.74807 0.515292 7.02972 0.452652C7.67529 0.309084 8.334 0.232791 9.01098 0.225006ZM8.99973 6.29996C7.50852 6.29996 6.29973 7.5088 6.29973 9.00001C6.29973 10.4911 7.50852 11.7 8.99973 11.7C10.4909 11.7 11.6997 10.4911 11.6997 9.00001C11.6997 7.5088 10.4909 6.29996 8.99973 6.29996Z" fill="#0883D9"/>
</g>
<defs>
<clipPath id="clip0_461_479">
<rect width="18" height="18" fill="white"/>
</clipPath>
</defs>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 2.1 KiB

BIN
education/windows/images/takeatest/intune-take-a-test-custom-profile.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 221 KiB

4
education/windows/take-a-test-app-technical.md
View File

@ -1,7 +1,7 @@
---
title: Take a Test app technical reference
title: Take a Test App Technical Reference
description: List of policies and settings applied by the Take a Test app.
ms.date: 09/06/2024
ms.date: 04/07/2025
ms.topic: reference
---

20
windows/client-management/mdm/bitlocker-csp.md
View File

@ -1,7 +1,7 @@
---
title: BitLocker CSP
description: Learn more about the BitLocker CSP.
ms.date: 03/12/2025
ms.date: 04/04/2025
ms.topic: generated-reference
---
@ -175,7 +175,7 @@ The expected values for this policy are:
1 = This is the default, when the policy isn't set. Warning prompt and encryption notification is allowed.
0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, the value 0 only takes effect on Microsoft Entra joined devices.
0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, the value 0 only takes effect on Entra ID joined devices.
Windows will attempt to silently enable BitLocker for value 0.
<!-- Device-AllowWarningForOtherDiskEncryption-Description-End -->
@ -209,7 +209,7 @@ Windows will attempt to silently enable BitLocker for value 0.
| Value | Description |
|:--|:--|
| 0 | Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Microsoft Entra joined devices. Windows will attempt to silently enable BitLocker for value 0. |
| 0 | Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Entra ID joined devices. Windows will attempt to silently enable BitLocker for value 0. |
| 1 (Default) | Warning prompt allowed. |
<!-- Device-AllowWarningForOtherDiskEncryption-AllowedValues-End -->
@ -251,9 +251,9 @@ Windows will attempt to silently enable BitLocker for value 0.
<!-- Device-ConfigureRecoveryPasswordRotation-Description-Begin -->
<!-- Description-Source-DDF -->
Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on Microsoft Entra ID and hybrid domain joined devices.
Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on Entra ID and hybrid domain joined devices.
When not configured, Rotation is turned on by default for Microsoft Entra ID only and off on hybrid. The Policy will be effective only when Active Directory back up for recovery password is configured to required.
When not configured, Rotation is turned on by default for Entra ID only and off on hybrid. The Policy will be effective only when Active Directory back up for recovery password is configured to required.
For OS drive: Turn on "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives".
@ -261,8 +261,8 @@ For Fixed drives: Turn on "Do not enable BitLocker until recovery information is
Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
1 - Numeric Recovery Passwords Rotation upon use ON for Microsoft Entra joined devices. Default value
2 - Numeric Recovery Passwords Rotation upon use ON for both Microsoft Entra ID and hybrid devices.
1 - Numeric Recovery Passwords Rotation upon use ON for Entra ID joined devices. Default value
2 - Numeric Recovery Passwords Rotation upon use ON for both Entra ID and hybrid devices.
<!-- Device-ConfigureRecoveryPasswordRotation-Description-End -->
<!-- Device-ConfigureRecoveryPasswordRotation-Editable-Begin -->
@ -285,8 +285,8 @@ Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
| Value | Description |
|:--|:--|
| 0 (Default) | Refresh off (default). |
| 1 | Refresh on for Microsoft Entra joined devices. |
| 2 | Refresh on for both Microsoft Entra joined and hybrid-joined devices. |
| 1 | Refresh on for Entra ID-joined devices. |
| 2 | Refresh on for both Entra ID-joined and hybrid-joined devices. |
<!-- Device-ConfigureRecoveryPasswordRotation-AllowedValues-End -->
<!-- Device-ConfigureRecoveryPasswordRotation-Examples-Begin -->
@ -1212,7 +1212,7 @@ Disabling the policy won't turn off the encryption on the storage card. But will
<!-- Device-RotateRecoveryPasswords-Description-Begin -->
<!-- Description-Source-DDF -->
Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on a Microsoft Entra ID or hybrid-joined device.
Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Entra ID or hybrid-joined device.
This policy is Execute type and rotates all numeric passwords when issued from MDM tools.

20
windows/client-management/mdm/bitlocker-ddf-file.md
View File

@ -1,7 +1,7 @@
---
title: BitLocker DDF file
description: View the XML file containing the device description framework (DDF) for the BitLocker configuration service provider.
ms.date: 02/13/2025
ms.date: 04/04/2025
ms.topic: generated-reference
---
@ -580,7 +580,7 @@ The following XML file contains the device description framework (DDF) for the B
1 = This is the default, when the policy is not set. Warning prompt and encryption notification is allowed.
0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update,
the value 0 only takes affect on Azure Active Directory joined devices.
the value 0 only takes affect on Entra ID joined devices.
Windows will attempt to silently enable BitLocker for value 0.
If you want to disable this policy use the following SyncML:
@ -600,7 +600,7 @@ The following XML file contains the device description framework (DDF) for the B
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0.</MSFT:ValueDescription>
<MSFT:ValueDescription>Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Entra ID joined devices. Windows will attempt to silently enable BitLocker for value 0.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
@ -680,15 +680,15 @@ The following XML file contains the device description framework (DDF) for the B
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description> Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on AAD and Hybrid domain joined devices.
When not configured, Rotation is turned on by default for AAD only and off on Hybrid. The Policy will be effective only when
<Description> Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on Entra ID and Hybrid domain joined devices.
When not configured, Rotation is turned on by default for Entra ID only and off on Hybrid. The Policy will be effective only when
Active Directory back up for recovery password is configured to required.
For OS drive: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for operating system drives"
For Fixed drives: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for fixed data drives"
Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
1 - Numeric Recovery Passwords Rotation upon use ON for AAD joined devices. Default value
2 - Numeric Recovery Passwords Rotation upon use ON for both AAD and Hybrid devices
1 - Numeric Recovery Passwords Rotation upon use ON for Entra ID joined devices. Default value
2 - Numeric Recovery Passwords Rotation upon use ON for both Entra ID and Hybrid devices
If you want to disable this policy use the following SyncML:
@ -716,11 +716,11 @@ The following XML file contains the device description framework (DDF) for the B
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Refresh on for Azure AD-joined devices</MSFT:ValueDescription>
<MSFT:ValueDescription>Refresh on for Entra ID-joined devices</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Refresh on for both Azure AD-joined and hybrid-joined devices</MSFT:ValueDescription>
<MSFT:ValueDescription>Refresh on for both Entra ID-joined and hybrid-joined devices</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
@ -731,7 +731,7 @@ The following XML file contains the device description framework (DDF) for the B
<AccessType>
<Exec />
</AccessType>
<Description> Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Azure Active Directory or hybrid-joined device.
<Description> Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Entra ID or hybrid-joined device.
This policy is Execute type and rotates all numeric passwords when issued from MDM tools.
The policy only comes into effect when Active Directory backup for a recovery password is configured to "required."

10
windows/client-management/mdm/firewall-csp.md
View File

@ -1,7 +1,7 @@
---
title: Firewall CSP
description: Learn more about the Firewall CSP.
ms.date: 03/12/2025
ms.date: 04/04/2025
ms.topic: generated-reference
---
@ -1896,9 +1896,7 @@ New rules have the EdgeTraversal property disabled by default.
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Enabled-Description-Begin -->
<!-- Description-Source-DDF -->
Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
If not specified - a new rule is disabled by default.
Indicates whether the rule is enabled or disabled. If not specified - a new rule is enabled by default.
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Enabled-Description-End -->
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Enabled-Editable-Begin -->
@ -3254,9 +3252,7 @@ If not specified the default is OUT.
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Enabled-Description-Begin -->
<!-- Description-Source-DDF -->
Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
If not specified - a new rule is disabled by default.
Indicates whether the rule is enabled or disabled. If not specified - a new rule is enabled by default.
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Enabled-Description-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Enabled-Editable-Begin -->

8
windows/client-management/mdm/firewall-ddf-file.md
View File

@ -1,7 +1,7 @@
---
title: Firewall DDF file
description: View the XML file containing the device description framework (DDF) for the Firewall configuration service provider.
ms.date: 02/13/2025
ms.date: 04/04/2025
ms.topic: generated-reference
---
@ -4060,8 +4060,7 @@ An IPv6 address range in the format of "start address - end address" with no spa
<Get />
<Replace />
</AccessType>
<Description>Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
If not specified - a new rule is disabled by default.</Description>
<Description>Indicates whether the rule is enabled or disabled. If not specified - a new rule is enabled by default.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -4760,8 +4759,7 @@ An IPv6 address range in the format of "start address - end address" with no spa
<Get />
<Replace />
</AccessType>
<Description>Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
If not specified - a new rule is disabled by default.</Description>
<Description>Indicates whether the rule is enabled or disabled. If not specified - a new rule is enabled by default.</Description>
<DFFormat>
<bool />
</DFFormat>

28
windows/client-management/mdm/policies-in-preview.md
View File

@ -1,7 +1,7 @@
---
title: Configuration service provider preview policies
description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview.
ms.date: 03/26/2025
ms.date: 04/04/2025
ms.topic: generated-reference
---
@ -23,6 +23,7 @@ This article lists the policies that are applicable for Windows Insider Preview
## ApplicationManagement
- [AllowedNonAdminPackageFamilyNameRules](policy-csp-applicationmanagement.md#allowednonadminpackagefamilynamerules)
- [ConfigureMSIXAuthenticationAuthorizedDomains](policy-csp-applicationmanagement.md#configuremsixauthenticationauthorizeddomains)
## ClientCertificateInstall CSP
@ -92,9 +93,8 @@ This article lists the policies that are applicable for Windows Insider Preview
## HumanPresence
- [ForcePrivacyScreen](policy-csp-humanpresence.md#forceprivacyscreen)
- [ForcePrivacyScreenDim](policy-csp-humanpresence.md#forceprivacyscreendim)
- [ForcePrivacyScreenNotification](policy-csp-humanpresence.md#forceprivacyscreennotification)
- [ForceOnlookerDetection](policy-csp-humanpresence.md#forceonlookerdetection)
- [ForceOnlookerDetectionAction](policy-csp-humanpresence.md#forceonlookerdetectionaction)
## InternetExplorer
@ -111,6 +111,16 @@ This article lists the policies that are applicable for Windows Insider Preview
- [StartInstallation](language-pack-management-csp.md#installlanguage-idstartinstallation)
- [SystemPreferredUILanguages](language-pack-management-csp.md#languagesettingssystempreferreduilanguages)
## LanmanWorkstation
- [AuditInsecureGuestLogon](policy-csp-lanmanworkstation.md#auditinsecureguestlogon)
- [AuditServerDoesNotSupportEncryption](policy-csp-lanmanworkstation.md#auditserverdoesnotsupportencryption)
- [AuditServerDoesNotSupportSigning](policy-csp-lanmanworkstation.md#auditserverdoesnotsupportsigning)
- [EnableMailslots](policy-csp-lanmanworkstation.md#enablemailslots)
- [MaxSmb2Dialect](policy-csp-lanmanworkstation.md#maxsmb2dialect)
- [MinSmb2Dialect](policy-csp-lanmanworkstation.md#minsmb2dialect)
- [RequireEncryption](policy-csp-lanmanworkstation.md#requireencryption)
## LocalPoliciesSecurityOptions
- [InteractiveLogon_NumberOfPreviousLogonsToCache](policy-csp-localpoliciessecurityoptions.md#interactivelogon_numberofpreviouslogonstocache)
@ -133,6 +143,10 @@ This article lists the policies that are applicable for Windows Insider Preview
- [DisablePostLogonProvisioning](passportforwork-csp.md#devicetenantidpoliciesdisablepostlogonprovisioning)
## Power
- [EnableEnergySaver](policy-csp-power.md#enableenergysaver)
## Printers
- [ConfigureIppTlsCertificatePolicy](policy-csp-printers.md#configureipptlscertificatepolicy)
@ -165,6 +179,10 @@ This article lists the policies that are applicable for Windows Insider Preview
- [ExchangeModernAuthEnabled](surfacehub-csp.md#deviceaccountexchangemodernauthenabled)
## System
- [DisableCHPE](policy-csp-system.md#disablechpe)
## TextInput
- [TouchKeyboardControllerModeAvailability](policy-csp-textinput.md#touchkeyboardcontrollermodeavailability)
@ -180,10 +198,12 @@ This article lists the policies that are applicable for Windows Insider Preview
## WindowsAI
- [DisableAIDataAnalysis](policy-csp-windowsai.md#disableaidataanalysis)
- [SetDenyAppListForRecall](policy-csp-windowsai.md#setdenyapplistforrecall)
- [SetDenyUriListForRecall](policy-csp-windowsai.md#setdenyurilistforrecall)
- [SetMaximumStorageSpaceForRecallSnapshots](policy-csp-windowsai.md#setmaximumstoragespaceforrecallsnapshots)
- [SetMaximumStorageDurationForRecallSnapshots](policy-csp-windowsai.md#setmaximumstoragedurationforrecallsnapshots)
- [DisableClickToDo](policy-csp-windowsai.md#disableclicktodo)
- [DisableImageCreator](policy-csp-windowsai.md#disableimagecreator)
- [DisableCocreator](policy-csp-windowsai.md#disablecocreator)
- [DisableGenerativeFill](policy-csp-windowsai.md#disablegenerativefill)

50
windows/client-management/mdm/policy-csp-applicationmanagement.md
View File

@ -1,7 +1,7 @@
---
title: ApplicationManagement Policy CSP
description: Learn more about the ApplicationManagement Area in Policy CSP.
ms.date: 03/12/2025
ms.date: 04/04/2025
ms.topic: generated-reference
---
@ -635,6 +635,54 @@ Manages non-Administrator users' ability to install Windows app packages.
<!-- BlockNonAdminUserInstall-End -->
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-Begin -->
## ConfigureMSIXAuthenticationAuthorizedDomains
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-Applicability-End -->
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/ConfigureMSIXAuthenticationAuthorizedDomains
```
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-OmaUri-End -->
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-Description-Begin -->
<!-- Description-Source-DDF -->
Defines a regular expression in ECMA Script. When performing a streaming MSIX install, if this regular expression matches the domain name (uppercased) then the user's EntraID OAuth token will be attached to the request.
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-Description-End -->
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-Editable-End -->
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-DFProperties-End -->
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ConfigureMSIXAuthenticationAuthorizedDomains |
| Path | AppxPackageManager > AT > WindowsComponents > AppxDeployment |
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-GpMapping-End -->
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-Examples-End -->
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-End -->
<!-- DisableStoreOriginatedApps-Begin -->
## DisableStoreOriginatedApps

8
windows/client-management/mdm/policy-csp-defender.md
View File

@ -1,7 +1,7 @@
---
title: Defender Policy CSP
description: Learn more about the Defender Area in Policy CSP.
ms.date: 03/12/2025
ms.date: 04/04/2025
ms.topic: generated-reference
---
@ -728,7 +728,7 @@ This policy setting allows you to configure scheduled scans and on-demand (manua
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
| Default Value | 1 |
<!-- AllowScanningNetworkFiles-DFProperties-End -->
<!-- AllowScanningNetworkFiles-AllowedValues-Begin -->
@ -736,8 +736,8 @@ This policy setting allows you to configure scheduled scans and on-demand (manua
| Value | Description |
|:--|:--|
| 0 (Default) | Not allowed. Turns off scanning of network files. |
| 1 | Allowed. Scans network files. |
| 0 | Not allowed. Turns off scanning of network files. |
| 1 (Default) | Allowed. Scans network files. |
<!-- AllowScanningNetworkFiles-AllowedValues-End -->
<!-- AllowScanningNetworkFiles-GpMapping-Begin -->

152
windows/client-management/mdm/policy-csp-humanpresence.md
View File

@ -1,7 +1,7 @@
---
title: HumanPresence Policy CSP
description: Learn more about the HumanPresence Area in Policy CSP.
ms.date: 03/12/2025
ms.date: 04/04/2025
ms.topic: generated-reference
---
@ -529,31 +529,31 @@ Determines the timeout for Lock on Leave forced by the MDM policy. The user will
<!-- ForceLockTimeout-End -->
<!-- ForcePrivacyScreen-Begin -->
## ForcePrivacyScreen
<!-- ForceOnlookerDetection-Begin -->
## ForceOnlookerDetection
<!-- ForcePrivacyScreen-Applicability-Begin -->
<!-- ForceOnlookerDetection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ForcePrivacyScreen-Applicability-End -->
<!-- ForceOnlookerDetection-Applicability-End -->
<!-- ForcePrivacyScreen-OmaUri-Begin -->
<!-- ForceOnlookerDetection-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreen
./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForceOnlookerDetection
```
<!-- ForcePrivacyScreen-OmaUri-End -->
<!-- ForceOnlookerDetection-OmaUri-End -->
<!-- ForcePrivacyScreen-Description-Begin -->
<!-- ForceOnlookerDetection-Description-Begin -->
<!-- Description-Source-DDF -->
Determines whether detect when other people are looking at my screen is forced on/off by the MDM policy. The user won't be able to change this setting and the UI will be greyed out.
<!-- ForcePrivacyScreen-Description-End -->
<!-- ForceOnlookerDetection-Description-End -->
<!-- ForcePrivacyScreen-Editable-Begin -->
<!-- ForceOnlookerDetection-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ForcePrivacyScreen-Editable-End -->
<!-- ForceOnlookerDetection-Editable-End -->
<!-- ForcePrivacyScreen-DFProperties-Begin -->
<!-- ForceOnlookerDetection-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
@ -561,9 +561,9 @@ Determines whether detect when other people are looking at my screen is forced o
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ForcePrivacyScreen-DFProperties-End -->
<!-- ForceOnlookerDetection-DFProperties-End -->
<!-- ForcePrivacyScreen-AllowedValues-Begin -->
<!-- ForceOnlookerDetection-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
@ -571,48 +571,48 @@ Determines whether detect when other people are looking at my screen is forced o
| 2 | ForcedOff. |
| 1 | ForcedOn. |
| 0 (Default) | DefaultToUserChoice. |
<!-- ForcePrivacyScreen-AllowedValues-End -->
<!-- ForceOnlookerDetection-AllowedValues-End -->
<!-- ForcePrivacyScreen-GpMapping-Begin -->
<!-- ForceOnlookerDetection-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ForcePrivacyScreen |
| Name | ForceOnlookerDetection |
| Path | Sensors > AT > WindowsComponents > HumanPresence |
<!-- ForcePrivacyScreen-GpMapping-End -->
<!-- ForceOnlookerDetection-GpMapping-End -->
<!-- ForcePrivacyScreen-Examples-Begin -->
<!-- ForceOnlookerDetection-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ForcePrivacyScreen-Examples-End -->
<!-- ForceOnlookerDetection-Examples-End -->
<!-- ForcePrivacyScreen-End -->
<!-- ForceOnlookerDetection-End -->
<!-- ForcePrivacyScreenDim-Begin -->
## ForcePrivacyScreenDim
<!-- ForceOnlookerDetectionAction-Begin -->
## ForceOnlookerDetectionAction
<!-- ForcePrivacyScreenDim-Applicability-Begin -->
<!-- ForceOnlookerDetectionAction-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ForcePrivacyScreenDim-Applicability-End -->
<!-- ForceOnlookerDetectionAction-Applicability-End -->
<!-- ForcePrivacyScreenDim-OmaUri-Begin -->
<!-- ForceOnlookerDetectionAction-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreenDim
./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForceOnlookerDetectionAction
```
<!-- ForcePrivacyScreenDim-OmaUri-End -->
<!-- ForceOnlookerDetectionAction-OmaUri-End -->
<!-- ForcePrivacyScreenDim-Description-Begin -->
<!-- ForceOnlookerDetectionAction-Description-Begin -->
<!-- Description-Source-DDF -->
Determines whether dim the screen when other people are looking at my screen checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
<!-- ForcePrivacyScreenDim-Description-End -->
Determines whether the Onlooker Detection action is forced by the MDM policy. The user won't be able to change this setting and the toggle in the UI will be greyed out.
<!-- ForceOnlookerDetectionAction-Description-End -->
<!-- ForcePrivacyScreenDim-Editable-Begin -->
<!-- ForceOnlookerDetectionAction-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ForcePrivacyScreenDim-Editable-End -->
<!-- ForceOnlookerDetectionAction-Editable-End -->
<!-- ForcePrivacyScreenDim-DFProperties-Begin -->
<!-- ForceOnlookerDetectionAction-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
@ -620,91 +620,33 @@ Determines whether dim the screen when other people are looking at my screen che
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ForcePrivacyScreenDim-DFProperties-End -->
<!-- ForceOnlookerDetectionAction-DFProperties-End -->
<!-- ForcePrivacyScreenDim-AllowedValues-Begin -->
<!-- ForceOnlookerDetectionAction-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 2 | ForcedUnchecked. |
| 1 | ForcedChecked. |
| 3 | ForcedDimAndNotify. |
| 2 | ForcedNotify. |
| 1 | ForcedDim. |
| 0 (Default) | DefaultToUserChoice. |
<!-- ForcePrivacyScreenDim-AllowedValues-End -->
<!-- ForceOnlookerDetectionAction-AllowedValues-End -->
<!-- ForcePrivacyScreenDim-GpMapping-Begin -->
<!-- ForceOnlookerDetectionAction-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ForcePrivacyScreenDim |
| Name | ForceOnlookerDetectionAction |
| Path | Sensors > AT > WindowsComponents > HumanPresence |
<!-- ForcePrivacyScreenDim-GpMapping-End -->
<!-- ForceOnlookerDetectionAction-GpMapping-End -->
<!-- ForcePrivacyScreenDim-Examples-Begin -->
<!-- ForceOnlookerDetectionAction-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ForcePrivacyScreenDim-Examples-End -->
<!-- ForceOnlookerDetectionAction-Examples-End -->
<!-- ForcePrivacyScreenDim-End -->
<!-- ForcePrivacyScreenNotification-Begin -->
## ForcePrivacyScreenNotification
<!-- ForcePrivacyScreenNotification-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ForcePrivacyScreenNotification-Applicability-End -->
<!-- ForcePrivacyScreenNotification-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreenNotification
```
<!-- ForcePrivacyScreenNotification-OmaUri-End -->
<!-- ForcePrivacyScreenNotification-Description-Begin -->
<!-- Description-Source-DDF -->
Determines whether providing alert when people are looking at my screen checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
<!-- ForcePrivacyScreenNotification-Description-End -->
<!-- ForcePrivacyScreenNotification-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ForcePrivacyScreenNotification-Editable-End -->
<!-- ForcePrivacyScreenNotification-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ForcePrivacyScreenNotification-DFProperties-End -->
<!-- ForcePrivacyScreenNotification-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 2 | ForcedUnchecked. |
| 1 | ForcedChecked. |
| 0 (Default) | DefaultToUserChoice. |
<!-- ForcePrivacyScreenNotification-AllowedValues-End -->
<!-- ForcePrivacyScreenNotification-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ForcePrivacyScreenNotification |
| Path | Sensors > AT > WindowsComponents > HumanPresence |
<!-- ForcePrivacyScreenNotification-GpMapping-End -->
<!-- ForcePrivacyScreenNotification-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ForcePrivacyScreenNotification-Examples-End -->
<!-- ForcePrivacyScreenNotification-End -->
<!-- ForceOnlookerDetectionAction-End -->
<!-- HumanPresence-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->

481
windows/client-management/mdm/policy-csp-lanmanworkstation.md
View File

@ -1,7 +1,7 @@
---
title: LanmanWorkstation Policy CSP
description: Learn more about the LanmanWorkstation Area in Policy CSP.
ms.date: 03/12/2025
ms.date: 04/04/2025
ms.topic: generated-reference
---
@ -10,10 +10,213 @@ ms.topic: generated-reference
<!-- LanmanWorkstation-Begin -->
# Policy CSP - LanmanWorkstation
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- LanmanWorkstation-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- LanmanWorkstation-Editable-End -->
<!-- AuditInsecureGuestLogon-Begin -->
## AuditInsecureGuestLogon
<!-- AuditInsecureGuestLogon-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
<!-- AuditInsecureGuestLogon-Applicability-End -->
<!-- AuditInsecureGuestLogon-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/AuditInsecureGuestLogon
```
<!-- AuditInsecureGuestLogon-OmaUri-End -->
<!-- AuditInsecureGuestLogon-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy controls whether the SMB client will enable the audit event when the client is logged-on as guest account.
- If you enable this policy setting, the SMB client will log the event when the client is logged-on as guest account.
- If you disable or don't configure this policy setting, the SMB client won't log the event.
<!-- AuditInsecureGuestLogon-Description-End -->
<!-- AuditInsecureGuestLogon-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AuditInsecureGuestLogon-Editable-End -->
<!-- AuditInsecureGuestLogon-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- AuditInsecureGuestLogon-DFProperties-End -->
<!-- AuditInsecureGuestLogon-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- AuditInsecureGuestLogon-AllowedValues-End -->
<!-- AuditInsecureGuestLogon-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Pol_AuditInsecureGuestLogon |
| Friendly Name | Audit insecure guest logon |
| Location | Computer Configuration |
| Path | Network > Lanman Workstation |
| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
| Registry Value Name | AuditInsecureGuestLogon |
| ADMX File Name | LanmanWorkstation.admx |
<!-- AuditInsecureGuestLogon-GpMapping-End -->
<!-- AuditInsecureGuestLogon-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AuditInsecureGuestLogon-Examples-End -->
<!-- AuditInsecureGuestLogon-End -->
<!-- AuditServerDoesNotSupportEncryption-Begin -->
## AuditServerDoesNotSupportEncryption
<!-- AuditServerDoesNotSupportEncryption-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
<!-- AuditServerDoesNotSupportEncryption-Applicability-End -->
<!-- AuditServerDoesNotSupportEncryption-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/AuditServerDoesNotSupportEncryption
```
<!-- AuditServerDoesNotSupportEncryption-OmaUri-End -->
<!-- AuditServerDoesNotSupportEncryption-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy controls whether the SMB client will enable the audit event when the SMB server doesn't support encryption.
- If you enable this policy setting, the SMB client will log the event when the SMB server doesn't support encryption.
- If you disable or don't configure this policy setting, the SMB client won't log the event.
<!-- AuditServerDoesNotSupportEncryption-Description-End -->
<!-- AuditServerDoesNotSupportEncryption-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AuditServerDoesNotSupportEncryption-Editable-End -->
<!-- AuditServerDoesNotSupportEncryption-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- AuditServerDoesNotSupportEncryption-DFProperties-End -->
<!-- AuditServerDoesNotSupportEncryption-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- AuditServerDoesNotSupportEncryption-AllowedValues-End -->
<!-- AuditServerDoesNotSupportEncryption-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Pol_AuditServerDoesNotSupportEncryption |
| Friendly Name | Audit server does not support encryption |
| Location | Computer Configuration |
| Path | Network > Lanman Workstation |
| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
| Registry Value Name | AuditServerDoesNotSupportEncryption |
| ADMX File Name | LanmanWorkstation.admx |
<!-- AuditServerDoesNotSupportEncryption-GpMapping-End -->
<!-- AuditServerDoesNotSupportEncryption-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AuditServerDoesNotSupportEncryption-Examples-End -->
<!-- AuditServerDoesNotSupportEncryption-End -->
<!-- AuditServerDoesNotSupportSigning-Begin -->
## AuditServerDoesNotSupportSigning
<!-- AuditServerDoesNotSupportSigning-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
<!-- AuditServerDoesNotSupportSigning-Applicability-End -->
<!-- AuditServerDoesNotSupportSigning-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/AuditServerDoesNotSupportSigning
```
<!-- AuditServerDoesNotSupportSigning-OmaUri-End -->
<!-- AuditServerDoesNotSupportSigning-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy controls whether the SMB client will enable the audit event when the SMB server doesn't support signing.
- If you enable this policy setting, the SMB client will log the event when the SMB server doesn't support signing.
- If you disable or don't configure this policy setting, the SMB client won't log the event.
<!-- AuditServerDoesNotSupportSigning-Description-End -->
<!-- AuditServerDoesNotSupportSigning-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AuditServerDoesNotSupportSigning-Editable-End -->
<!-- AuditServerDoesNotSupportSigning-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- AuditServerDoesNotSupportSigning-DFProperties-End -->
<!-- AuditServerDoesNotSupportSigning-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- AuditServerDoesNotSupportSigning-AllowedValues-End -->
<!-- AuditServerDoesNotSupportSigning-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Pol_AuditServerDoesNotSupportSigning |
| Friendly Name | Audit server does not support signing |
| Location | Computer Configuration |
| Path | Network > Lanman Workstation |
| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
| Registry Value Name | AuditServerDoesNotSupportSigning |
| ADMX File Name | LanmanWorkstation.admx |
<!-- AuditServerDoesNotSupportSigning-GpMapping-End -->
<!-- AuditServerDoesNotSupportSigning-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AuditServerDoesNotSupportSigning-Examples-End -->
<!-- AuditServerDoesNotSupportSigning-End -->
<!-- EnableInsecureGuestLogons-Begin -->
## EnableInsecureGuestLogons
@ -85,6 +288,282 @@ Insecure guest logons are used by file servers to allow unauthenticated access t
<!-- EnableInsecureGuestLogons-End -->
<!-- EnableMailslots-Begin -->
## EnableMailslots
<!-- EnableMailslots-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
<!-- EnableMailslots-Applicability-End -->
<!-- EnableMailslots-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/EnableMailslots
```
<!-- EnableMailslots-OmaUri-End -->
<!-- EnableMailslots-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy controls whether the SMB client will enable or disable remote mailslots over MUP.
- If you disable this policy setting, remote mailslots won't function over MUP, hence they won't go through the SMB client redirector.
- If you don't configure this policy setting, remote mailslots may be allowed through MUP.
<!-- EnableMailslots-Description-End -->
<!-- EnableMailslots-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableMailslots-Editable-End -->
<!-- EnableMailslots-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- EnableMailslots-DFProperties-End -->
<!-- EnableMailslots-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- EnableMailslots-AllowedValues-End -->
<!-- EnableMailslots-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Pol_EnableMailslots |
| Friendly Name | Enable remote mailslots |
| Location | Computer Configuration |
| Path | Network > Lanman Workstation |
| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkProvider |
| Registry Value Name | EnableMailslots |
| ADMX File Name | LanmanWorkstation.admx |
<!-- EnableMailslots-GpMapping-End -->
<!-- EnableMailslots-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableMailslots-Examples-End -->
<!-- EnableMailslots-End -->
<!-- MaxSmb2Dialect-Begin -->
## MaxSmb2Dialect
<!-- MaxSmb2Dialect-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
<!-- MaxSmb2Dialect-Applicability-End -->
<!-- MaxSmb2Dialect-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/MaxSmb2Dialect
```
<!-- MaxSmb2Dialect-OmaUri-End -->
<!-- MaxSmb2Dialect-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy controls the maximum version of SMB protocol.
> [!NOTE]
> This group policy doesn't prevent use of SMB 1 if that component is still installed and enabled.
<!-- MaxSmb2Dialect-Description-End -->
<!-- MaxSmb2Dialect-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- MaxSmb2Dialect-Editable-End -->
<!-- MaxSmb2Dialect-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 785 |
<!-- MaxSmb2Dialect-DFProperties-End -->
<!-- MaxSmb2Dialect-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 514 | SMB 2.0.2. |
| 528 | SMB 2.1.0. |
| 768 | SMB 3.0.0. |
| 770 | SMB 3.0.2. |
| 785 (Default) | SMB 3.1.1. |
<!-- MaxSmb2Dialect-AllowedValues-End -->
<!-- MaxSmb2Dialect-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Pol_MaxSmb2Dialect |
| Friendly Name | Mandate the maximum version of SMB |
| Location | Computer Configuration |
| Path | Network > Lanman Workstation |
| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
| ADMX File Name | LanmanWorkstation.admx |
<!-- MaxSmb2Dialect-GpMapping-End -->
<!-- MaxSmb2Dialect-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- MaxSmb2Dialect-Examples-End -->
<!-- MaxSmb2Dialect-End -->
<!-- MinSmb2Dialect-Begin -->
## MinSmb2Dialect
<!-- MinSmb2Dialect-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
<!-- MinSmb2Dialect-Applicability-End -->
<!-- MinSmb2Dialect-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/MinSmb2Dialect
```
<!-- MinSmb2Dialect-OmaUri-End -->
<!-- MinSmb2Dialect-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy controls the minimum version of SMB protocol.
> [!NOTE]
> This group policy doesn't prevent use of SMB 1 if that component is still installed and enabled.
<!-- MinSmb2Dialect-Description-End -->
<!-- MinSmb2Dialect-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- MinSmb2Dialect-Editable-End -->
<!-- MinSmb2Dialect-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 514 |
<!-- MinSmb2Dialect-DFProperties-End -->
<!-- MinSmb2Dialect-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 514 (Default) | SMB 2.0.2. |
| 528 | SMB 2.1.0. |
| 768 | SMB 3.0.0. |
| 770 | SMB 3.0.2. |
| 785 | SMB 3.1.1. |
<!-- MinSmb2Dialect-AllowedValues-End -->
<!-- MinSmb2Dialect-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Pol_MinSmb2Dialect |
| Friendly Name | Mandate the minimum version of SMB |
| Location | Computer Configuration |
| Path | Network > Lanman Workstation |
| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
| ADMX File Name | LanmanWorkstation.admx |
<!-- MinSmb2Dialect-GpMapping-End -->
<!-- MinSmb2Dialect-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- MinSmb2Dialect-Examples-End -->
<!-- MinSmb2Dialect-End -->
<!-- RequireEncryption-Begin -->
## RequireEncryption
<!-- RequireEncryption-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
<!-- RequireEncryption-Applicability-End -->
<!-- RequireEncryption-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/RequireEncryption
```
<!-- RequireEncryption-OmaUri-End -->
<!-- RequireEncryption-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy controls whether the SMB client will require encryption.
- If you enable this policy setting, the SMB client will require the SMB server to support encryption and encrypt the data.
- If you disable or don't configure this policy setting, the SMB client won't require encryption. However, SMB encryption may still be required; see notes below.
> [!NOTE]
> This policy is combined with per-share, per-server, and per mapped drive connection properties, through which SMB encryption may be required. The SMB server must support and enable SMB encryption. For example, should this policy be disabled (or not configured), the SMB client may still perform encryption if an SMB server share has required encryption.
> [!IMPORTANT]
> SMB encryption requires SMB 3.0 or later.
<!-- RequireEncryption-Description-End -->
<!-- RequireEncryption-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- RequireEncryption-Editable-End -->
<!-- RequireEncryption-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- RequireEncryption-DFProperties-End -->
<!-- RequireEncryption-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- RequireEncryption-AllowedValues-End -->
<!-- RequireEncryption-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Pol_RequireEncryption |
| Friendly Name | Require Encryption |
| Location | Computer Configuration |
| Path | Network > Lanman Workstation |
| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
| Registry Value Name | RequireEncryption |
| ADMX File Name | LanmanWorkstation.admx |
<!-- RequireEncryption-GpMapping-End -->
<!-- RequireEncryption-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- RequireEncryption-Examples-End -->
<!-- RequireEncryption-End -->
<!-- LanmanWorkstation-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- LanmanWorkstation-CspMoreInfo-End -->

64
windows/client-management/mdm/policy-csp-power.md
View File

@ -1,7 +1,7 @@
---
title: Power Policy CSP
description: Learn more about the Power Area in Policy CSP.
ms.date: 03/12/2025
ms.date: 04/04/2025
ms.topic: generated-reference
---
@ -12,6 +12,8 @@ ms.topic: generated-reference
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Power-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Power-Editable-End -->
@ -307,6 +309,64 @@ If the user has configured a slide show to run on the lock screen when the machi
<!-- DisplayOffTimeoutPluggedIn-End -->
<!-- EnableEnergySaver-Begin -->
## EnableEnergySaver
<!-- EnableEnergySaver-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- EnableEnergySaver-Applicability-End -->
<!-- EnableEnergySaver-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Power/EnableEnergySaver
```
<!-- EnableEnergySaver-OmaUri-End -->
<!-- EnableEnergySaver-Description-Begin -->
<!-- Description-Source-DDF -->
This policy will extend battery life and reduce energy consumption by enabling Energy Saver to always be on. Energy Saver will always be on for desktops as well as laptops regardless of battery level for both AC and DC. If you disable or don't configure this policy setting, then Energy Saver will turn on based on the EnergySaverBatteryThreshold group policy.
<!-- EnableEnergySaver-Description-End -->
<!-- EnableEnergySaver-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableEnergySaver-Editable-End -->
<!-- EnableEnergySaver-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- EnableEnergySaver-DFProperties-End -->
<!-- EnableEnergySaver-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Disable energy saver policy. |
| 1 (Default) | Enable energy saver always-on mode. |
<!-- EnableEnergySaver-AllowedValues-End -->
<!-- EnableEnergySaver-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | EnableEnergySaver |
| Path | Power > AT > System > PowerManagementCat > EnergySaverSettingsCat |
<!-- EnableEnergySaver-GpMapping-End -->
<!-- EnableEnergySaver-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableEnergySaver-Examples-End -->
<!-- EnableEnergySaver-End -->
<!-- EnergySaverBatteryThresholdOnBattery-Begin -->
## EnergySaverBatteryThresholdOnBattery
@ -344,6 +404,7 @@ This policy setting allows you to specify battery charge level at which Energy S
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-100]` |
| Default Value | 0 |
| Dependency [Power_EnergySaverBatteryThresholdOnBattery_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `./Device/Vendor/MSFT/Policy/Config/Power/EnableEnergySaver` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- EnergySaverBatteryThresholdOnBattery-DFProperties-End -->
<!-- EnergySaverBatteryThresholdOnBattery-GpMapping-Begin -->
@ -403,6 +464,7 @@ This policy setting allows you to specify battery charge level at which Energy S
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-100]` |
| Default Value | 0 |
| Dependency [Power_EnergySaverBatteryThresholdPluggedIn_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `./Device/Vendor/MSFT/Policy/Config/Power/EnableEnergySaver` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- EnergySaverBatteryThresholdPluggedIn-DFProperties-End -->
<!-- EnergySaverBatteryThresholdPluggedIn-GpMapping-Begin -->

57
windows/client-management/mdm/policy-csp-system.md
View File

@ -1,7 +1,7 @@
---
title: System Policy CSP
description: Learn more about the System Area in Policy CSP.
ms.date: 03/12/2025
ms.date: 04/04/2025
ms.topic: generated-reference
---
@ -12,6 +12,8 @@ ms.topic: generated-reference
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- System-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- System-Editable-End -->
@ -1195,6 +1197,59 @@ If you don't configure this policy setting, or you set it to "Enable diagnostic
<!-- ConfigureTelemetryOptInSettingsUx-End -->
<!-- DisableCHPE-Begin -->
## DisableCHPE
<!-- DisableCHPE-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DisableCHPE-Applicability-End -->
<!-- DisableCHPE-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/System/DisableCHPE
```
<!-- DisableCHPE-OmaUri-End -->
<!-- DisableCHPE-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls whether loading CHPE binaries is disabled on the ARM64 device. This policy has no effect on x64 devices.
- If you enable this policy setting, ARM64 devices won't load CHPE binaries. This setting is required for hotpatching on ARM64 devices.
- If you disable or don't configure this policy setting, ARM64 devices will load CHPE binaries.
<!-- DisableCHPE-Description-End -->
<!-- DisableCHPE-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DisableCHPE-Editable-End -->
<!-- DisableCHPE-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- DisableCHPE-DFProperties-End -->
<!-- DisableCHPE-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | CHPE Binaries Enabled (Default). |
| 1 | CHPE Binaries Disabled. |
<!-- DisableCHPE-AllowedValues-End -->
<!-- DisableCHPE-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DisableCHPE-Examples-End -->
<!-- DisableCHPE-End -->
<!-- DisableDeviceDelete-Begin -->
## DisableDeviceDelete

4
windows/client-management/mdm/policy-csp-update.md
View File

@ -1,7 +1,7 @@
---
title: Update Policy CSP
description: Learn more about the Update Area in Policy CSP.
ms.date: 03/12/2025
ms.date: 04/04/2025
ms.topic: generated-reference
---
@ -2054,7 +2054,7 @@ Enables the IT admin to manage automatic update behavior to scan, download, and
| Value | Description |
|:--|:--|
| 0 | Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. |
| 1 | Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that don't shutdown properly on restart. |
| 1 | Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. After the update is installed, if the user hasn't scheduled a restart, the device will attempt to restart automatically. The user will be notified about the scheduled restart and can reschedule it if the proposed time is inconvenient. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that don't shutdown properly on restart. |
| 2 (Default) | Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shutdown properly on restart. |
| 3 | Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. |
| 4 | Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only. |

8
windows/client-management/mdm/reboot-ddf-file.md
View File

@ -1,7 +1,7 @@
---
title: Reboot DDF file
description: View the XML file containing the device description framework (DDF) for the Reboot configuration service provider.
ms.date: 02/13/2025
ms.date: 04/04/2025
ms.topic: generated-reference
---
@ -96,7 +96,7 @@ The following XML file contains the device description framework (DDF) for the R
<Get />
<Replace />
</AccessType>
<Description>Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. Both the date and time are required. A reboot will be scheduled to occur at the specified date and time. Setting a null (empty) date will delete the existing schedule.</Description>
<Description>Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. Both the date and time are required. A reboot will be scheduled to occur at the specified date and time. Setting a null (empty) date will delete the existing schedule.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -123,7 +123,7 @@ The following XML file contains the device description framework (DDF) for the R
<Get />
<Replace />
</AccessType>
<Description>Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. While it is supported to set either DailyRecurrent or WeeklyRecurrent schedules, it is not supported to enable both settings simultaneously. A reboot will be scheduled to occur every day at the configured time starting at the specified date and time. Setting a null (empty) date will delete the existing schedule.</Description>
<Description>Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. While it is supported to set either DailyRecurrent or WeeklyRecurrent schedules, it is not supported to enable both settings simultaneously. A reboot will be scheduled to occur every day at the configured time starting at the specified date and time. Setting a null (empty) date will delete the existing schedule.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -150,7 +150,7 @@ The following XML file contains the device description framework (DDF) for the R
<Get />
<Replace />
</AccessType>
<Description>Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. While it is supported to set either DailyRecurrent or WeeklyRecurrent schedules, it is not supported to enable both settings simultaneously. A reboot will be scheduled to occur every week at the configured day and time starting at the specified date and time. Setting a null (empty) date will delete the existing schedule.</Description>
<Description>Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. While it is supported to set either DailyRecurrent or WeeklyRecurrent schedules, it is not supported to enable both settings simultaneously. A reboot will be scheduled to occur every week at the configured day and time starting at the specified date and time. Setting a null (empty) date will delete the existing schedule.</Description>
<DFFormat>
<chr />
</DFFormat>

2
windows/configuration/start/layout.md
View File

@ -470,7 +470,7 @@ You can configure devices using the [Start CSP][WIN-1]. Use one of the following
[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)]
- **Path:** `Policies/Start/StartLayout`
- **Path:** Policies > Start > StartLayout
- **Value:** content of the XML file
> [!NOTE]

6
windows/deployment/do/mcc-ent-deploy-to-linux.md
View File

@ -28,7 +28,7 @@ Before deploying Connected Cache to a Linux host machine, ensure that the host m
1. Open a command line window *as administrator* on the host machine, then change directory to the extracted provisioning package.
>[!Note]
>* If you are deploying your cache node to a Linux host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and add `proxyTlsCertificatePath="/path/to/pem/file"` to the provisioning command.
>* If you're deploying your cache node to a host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and then add `proxytlscertificatepath="/path/to/pem/file"` to the provisioning command.
1. Set access permissions to allow the `provisionmcc.sh` script within the provisioning package directory to execute.
1. Run the provisioning command on the host machine.
@ -47,8 +47,8 @@ To deploy a cache node programmatically, you'll need to use Azure CLI to get the
1. Download and extract the [Connected Cache provisioning package for Linux](https://aka.ms/MCC-Ent-InstallScript-Linux) to your host machine.
1. Open a command line window *as administrator* on the host machine, then change directory to the extracted provisioning package.
>[!Note]
>* If you are deploying your cache node to a host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and add `proxyTlsCertificatePath="/path/to/pem/file"` to the provisioning command.
> [!Note]
>* If you're deploying your cache node to a host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and then add `proxytlscertificatepath="/path/to/pem/file"` to the provisioning command.
1. Set access permissions to allow the `provisionmcc.sh` script within the provisioning package directory to execute.
1. Replace the values in the following provisioning command before running it on the host machine.

4
windows/deployment/do/waas-delivery-optimization-reference.md
View File

@ -14,7 +14,7 @@ appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
ms.date: 10/15/2024
ms.date: 04/03/2025
---
# Delivery Optimization reference
@ -335,6 +335,8 @@ Configure this policy to designate Delivery Optimization in Network Cache server
> [!NOTE]
> If you format the DHCP Option ID incorrectly, the client will fall back to the Cache Server Hostname policy value if that value has been configured.
>
> If the [LocalPolicyMerge](/windows/security/operating-system-security/network-security/windows-firewall/rules#local-policy-merge-and-application-rules) setting is configured, such as part of security baselines, it can impact DHCP client and prevent it from retrieving this DHCP option, especially in Autopilot scenarios.
### Maximum foreground download bandwidth (in KB/s)

7
windows/deployment/do/waas-delivery-optimization.md
View File

@ -15,7 +15,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 05/23/2024
ms.date: 04/03/2025
---
# What is Delivery Optimization?
@ -47,9 +47,6 @@ The following table lists the minimum Windows 10 version that supports Delivery
#### Windows Client
> [!NOTE]
> Starting March 4, 2025, Edge Browser updates will temporarily not utilize Delivery Optimization for downloads. We are actively working to resolve this issue.
| Windows Client | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache |
|------------------|---------------|----------------|----------|----------------|
| Windows Update ([feature updates quality updates, language packs, drivers](../update/get-started-updates-channels-tools.md#types-of-updates)) | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
@ -58,7 +55,7 @@ The following table lists the minimum Windows 10 version that supports Delivery
| Windows Defender definition updates | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Intune Win32 apps| Windows 10 1709, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Microsoft 365 Apps and updates | Windows 10 1709, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Edge Browser Updates | Windows 10 1809, Windows 11 | | | |
| Edge Browser Updates | Windows 10 1809, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Configuration Manager Express updates| Windows 10 1709 + Configuration Manager version 1711, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Dynamic updates| Windows 10 1903, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| MDM Agent | Windows 11 | :heavy_check_mark: | | |

32
windows/deployment/mbr-to-gpt.md
View File

@ -4,7 +4,7 @@ description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR)
ms.service: windows-client
author: frankroj
ms.author: frankroj
ms.date: 11/26/2024
ms.date: 04/08/2024
manager: aaroncz
ms.localizationpriority: high
ms.topic: how-to
@ -19,9 +19,11 @@ appliesto:
# MBR2GPT.EXE
**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows operating system (OS) by using the **`/allowFullOS`** option.
> [!IMPORTANT]
>
> **MBR2GPT.EXE** is located in the **`Windows\System32`** directory on any device running a [currently supported version of Windows](/windows/release-health/supported-versions-windows-client).
**MBR2GPT.EXE** is located in the **`Windows\System32`** directory on a computer running Windows.
**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows operating system (OS) by using the **`/allowFullOS`** option.
The tool is available in both the full OS environment and Windows PE.
@ -451,22 +453,22 @@ The partition type can be determined with the DiskPart tool. The DiskPart tool i
1. The partition type is displayed in the **Gpt** column. If the partition is GPT, an asterisk (**\***) is displayed in the column. If the partition is MBR, the column is blank.
The following shows an example output of the DiskPart tool showing the partition type for two disks:
The following shows an example output of the DiskPart tool showing the partition type for two disks:
```cmd
X:\>DiskPart.exe
```cmd
X:\>DiskPart.exe
Microsoft DiskPart version 10.0.15048.0
Microsoft DiskPart version 10.0.15048.0
Copyright (C) Microsoft Corporation.
On computer: MININT-K71F13N
Copyright (C) Microsoft Corporation.
On computer: MININT-K71F13N
DISKPART> list disk
DISKPART> list disk
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 238 GB 0 B
Disk 1 Online 931 GB 0 B *
```
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 238 GB 0 B
Disk 1 Online 931 GB 0 B *
```
In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is formatted using GPT.

514
windows/deployment/upgrade/log-files.md
View File

@ -1,257 +1,257 @@
---
title: Log files and resolving upgrade errors
description: Learn how to interpret and analyze the log files that are generated during the Windows upgrade process.
ms.service: windows-client
author: frankroj
manager: aaroncz
ms.author: frankroj
ms.localizationpriority: medium
ms.topic: troubleshooting
ms.collection:
- highpri
- tier2
ms.subservice: itpro-deploy
ms.date: 01/29/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Windows upgrade log files
> [!NOTE]
>
> This article is a 400-level article (advanced).
>
> See [Resolve Windows upgrade errors](resolve-windows-upgrade-errors.md) for a full list of articles in this section.
Several log files are created during each phase of the upgrade process. These log files are essential for troubleshooting upgrade problems. By default, the folders that contain these log files are hidden on the upgrade target computer. To view the log files, configure Windows Explorer to view hidden items, or use a tool to automatically gather these logs. The most useful log is **setupact.log**. The log files are located in a different folder depending on the Windows Setup phase. Recall that the phase can be determined from the extend code.
> [!NOTE]
>
> Also see the [Windows Error Reporting](windows-error-reporting.md) article in this section for help with locating error codes and log files.
The following table describes some log files and how to use them for troubleshooting purposes:
|Log file |Phase: Location |Description |When to use|
|---|---|---|---|
|**setupact.log**|Down-Level:<br>$Windows.~BT\Sources\Panther|Contains information about setup actions during the downlevel phase. |All down-level failures and starting point for rollback investigations.<br> Setup.act is the most important log for diagnosing setup issues.|
|**setupact.log**|OOBE:<br>$Windows.~BT\Sources\Panther\UnattendGC|Contains information about actions during the OOBE phase.|Investigating rollbacks that failed during OOBE phase and operations - 0x4001C, 0x4001D, 0x4001E, 0x4001F.|
|**setupact.log**|Rollback:<br>$Windows.~BT\Sources\Rollback|Contains information about actions during rollback.|Investigating generic rollbacks - 0xC1900101.|
|**setupact.log**|Pre-initialization (prior to downlevel):<br>Windows|Contains information about initializing setup.|If setup fails to launch.|
|**setupact.log**|Post-upgrade (after OOBE):<br>Windows\Panther|Contains information about setup actions during the installation.|Investigate post-upgrade related issues.|
|**setuperr.log**|Same as setupact.log|Contains information about setup errors during the installation.|Review all errors encountered during the installation phase.|
|**miglog.xml**|Post-upgrade (after OOBE):<br>Windows\Panther|Contains information about what was migrated during the installation.|Identify post upgrade data migration issues.|
|**BlueBox.log**|Down-Level:<br>Windows\Logs\Mosetup|Contains information communication between `setup.exe` and Windows Update.|Use during WSUS and Windows Update down-level failures or for 0xC1900107.|
|Supplemental rollback logs:<br>**Setupmem.dmp**<br>**setupapi.dev.log**<br>Event logs (*.evtx)|$Windows.~BT\Sources\Rollback|Additional logs collected during rollback.|Setupmem.dmp: If OS bug checks during upgrade, setup attempts to extract a mini-dump.<br>Setupapi: Device install issues - 0x30018<br>Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.|
## Log entry structure
A `setupact.log` or `setuperr.log` entry includes the following elements:
1. **The date and time** - 2023-09-08 09:20:05
2. **The log level** - Info, Warning, Error, Fatal Error
3. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS
The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are useful for troubleshooting Windows Setup errors.
4. **The message** - Operation completed successfully.
See the following example:
| Date/Time | Log level | Component | Message |
|------|------------|------------|------------|
|2023-09-08 09:23:50,| Warning | MIG | Couldn't replace object C:\Users\name\Cookies. Target Object can't be removed.|
## Analyze log files
The following instructions are meant for IT professionals. Also see the [Upgrade error codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json) section in this guide to become familiar with [result codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes) and [extend codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes).
To analyze Windows Setup log files:
1. Determine the Windows Setup error code. Windows Setup should return an error code if it isn't successful with the upgrade process.
1. Based on the [extend code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes) portion of the error code, determine the type and location of a log file to investigate.
1. Open the log file in a text editor, such as notepad.
1. Using the [result code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes) portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below.
1. To find the last occurrence of the result code:
1. Scroll to the bottom of the file and select after the last character.
1. Select **Edit**.
1. Select **Find**.
1. Type the result code.
1. Under **Direction** select **Up**.
1. Select **Find Next**.
1. When the last occurrence of the result code is located, scroll up a few lines from this location in the file and review the processes that failed prior to generating the result code.
1. Search for the following important text strings:
- `Shell application requested abort`
- `Abandoning apply due to error for object`
1. Decode Win32 errors that appear in this section.
1. Write down the timestamp for the observed errors in this section.
1. Search other log files for additional information matching these timestamps or errors.
For example, assume that the error code for an error is **0x8007042B - 0x2000D**. Searching for **8007042B** reveals the following content from the `setuperr.log` file:
> [!NOTE]
>
> Some lines in the following text are shortened to enhance readability. For example
>
> - The date and time at the start of each line (ex: 2023-10-05 15:27:08) is shortened to minutes and seconds
> - The certificate file name, which is a long text string, is shortened to just "CN."
**setuperr.log** content:
```console
27:08, Error SP Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
27:08, Error MIG Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
27:08, Error Gather failed. Last error: 0x00000000
27:08, Error SP SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
27:09, Error SP CMigrateFramework: Gather framework failed. Status: 44
27:09, Error SP Operation failed: Migrate framework (Full). Error: 0x8007042B[gle=0x000000b7]
27:09, Error SP Operation execution failed: 13. hr = 0x8007042B[gle=0x000000b7]
27:09, Error SP CSetupPlatformPrivate::Execute: Execution of operations queue failed, abandoning. Error: 0x8007042B[gle=0x000000b7]
```
The first line indicates there was an error **0x00000570** with the file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]**:
```console
27:08, Error SP Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
```
The error **0x00000570** is a [Win32 error code](/openspecs/windows_protocols/ms-erref/18d8fbe8-a967-4f1c-ae50-99ca8e491d2d) corresponding to: **ERROR_FILE_CORRUPT: The file or directory is corrupted and unreadable**.
Therefore, Windows Setup failed because it wasn't able to migrate the corrupt file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]**. This file is a local system certificate and can be safely deleted. After the `setupact.log` file is searched for more details, the phrase **Shell application requested abort** is found in a location with the same timestamp as the lines in `setuperr.log`. This analysis confirms the suspicion that this file is the cause of the upgrade failure:
**setupact.log** content:
```console
27:00, Info Gather started at 10/5/2023 23:27:00
27:00, Info [0x080489] MIG Setting system object filter context (System)
27:00, Info [0x0803e5] MIG Not unmapping HKCU\Software\Classes; it is not mapped
27:00, Info [0x0803e5] MIG Not unmapping HKCU; it is not mapped
27:00, Info SP ExecuteProgress: Elapsed events:1 of 4, Percent: 12
27:00, Info [0x0802c6] MIG Processing GATHER for migration unit: &lt;System&gt;\UpgradeFramework (CMXEAgent)
27:08, Error SP Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
27:08, Error MIG Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
27:08, Info SP ExecuteProgress: Elapsed events:2 of 4, Percent: 25
27:08, Info SP ExecuteProgress: Elapsed events:3 of 4, Percent: 37
27:08, Info [0x080489] MIG Setting system object filter context (System)
27:08, Info [0x0803e5] MIG Not unmapping HKCU\Software\Classes; it is not mapped
27:08, Info [0x0803e5] MIG Not unmapping HKCU; it is not mapped
27:08, Info MIG COutOfProcPluginFactory::FreeSurrogateHost: Shutdown in progress.
27:08, Info MIG COutOfProcPluginFactory::LaunchSurrogateHost::CommandLine: -shortened-
27:08, Info MIG COutOfProcPluginFactory::LaunchSurrogateHost: Successfully launched host and got control object.
27:08, Error Gather failed. Last error: 0x00000000
27:08, Info Gather ended at 10/5/2023 23:27:08 with result 44
27:08, Info Leaving MigGather method
27:08, Error SP SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
```
**setupapi.dev.log** content:
```console
>>> [Device Install (UpdateDriverForPlugAndPlayDevices) - PCI\VEN_8086&DEV_8C4F]
>>> Section start 2023/09/26 20:13:01.623
cmd: rundll32.exe "C:\WINDOWS\Installer\MSI6E4C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_95972906 484 ChipsetWiX.CustomAction!Intel.Deployment.ChipsetWiX.CustomActions.InstallDrivers
ndv: INF path: C:\WINDOWS\TEMP\{15B1CD41-69F5-48EA-9F45-0560A40FE2D8}\Drivers\lynxpoint\LynxPointSystem.inf
ndv: Install flags: 0x00000000
ndv: {Update Device Driver - PCI\VEN_8086&DEV_8C4F&SUBSYS_05BE1028&REV_04\3&11583659&0&F8}
ndv: Search options: 0x00000081
ndv: Searching single INF 'C:\WINDOWS\TEMP\{15B1CD41-69F5-48EA-9F45-0560A40FE2D8}\Drivers\lynxpoint\LynxPointSystem.inf'
dvi: {Build Driver List} 20:13:01.643
dvi: Searching for hardware ID(s):
dvi: pci\ven_8086&dev_8c4f&subsys_05be1028&rev_04
dvi: pci\ven_8086&dev_8c4f&subsys_05be1028
dvi: pci\ven_8086&dev_8c4f&cc_060100
dvi: pci\ven_8086&dev_8c4f&cc_0601
dvi: Searching for compatible ID(s):
dvi: pci\ven_8086&dev_8c4f&rev_04
dvi: pci\ven_8086&dev_8c4f
dvi: pci\ven_8086&cc_060100
dvi: pci\ven_8086&cc_0601
dvi: pci\ven_8086
dvi: pci\cc_060100
dvi: pci\cc_0601
sig: {_VERIFY_FILE_SIGNATURE} 20:13:01.667
sig: Key = lynxpointsystem.inf
sig: FilePath = c:\windows\temp\{15b1cd41-69f5-48ea-9f45-0560a40fe2d8}\drivers\lynxpoint\lynxpointsystem.inf
sig: Catalog = c:\windows\temp\{15b1cd41-69f5-48ea-9f45-0560a40fe2d8}\drivers\lynxpoint\LynxPoint.cat
sig: Success: File is signed in catalog.
sig: {_VERIFY_FILE_SIGNATURE exit(0x00000000)} 20:13:01.683
dvi: Created Driver Node:
dvi: HardwareID - PCI\VEN_8086&DEV_8C4F
dvi: InfName - c:\windows\temp\{15b1cd41-69f5-48ea-9f45-0560a40fe2d8}\drivers\lynxpoint\lynxpointsystem.inf
dvi: DevDesc - Intel(R) QM87 LPC Controller - 8C4F
dvi: Section - Needs_ISAPNP_DRV
dvi: Rank - 0x00ff2001
dvi: Signer Score - WHQL
dvi: DrvDate - 04/04/2016
dvi: Version - 10.1.1.18
dvi: {Build Driver List - exit(0x00000000)} 20:13:01.699
ndv: Searching currently installed INF
dvi: {Build Driver List} 20:13:01.699
dvi: Searching for hardware ID(s):
dvi: pci\ven_8086&dev_8c4f&subsys_05be1028&rev_04
dvi: pci\ven_8086&dev_8c4f&subsys_05be1028
dvi: pci\ven_8086&dev_8c4f&cc_060100
dvi: pci\ven_8086&dev_8c4f&cc_0601
dvi: Searching for compatible ID(s):
dvi: pci\ven_8086&dev_8c4f&rev_04
dvi: pci\ven_8086&dev_8c4f
dvi: pci\ven_8086&cc_060100
dvi: pci\ven_8086&cc_0601
dvi: pci\ven_8086
dvi: pci\cc_060100
dvi: pci\cc_0601
dvi: Created Driver Node:
dvi: HardwareID - PCI\VEN_8086&DEV_8C4F
dvi: InfName - C:\WINDOWS\System32\DriverStore\FileRepository\lynxpointsystem.inf_amd64_cd1e518d883ecdfe\lynxpointsystem.inf
dvi: DevDesc - Intel(R) QM87 LPC Controller - 8C4F
dvi: Section - Needs_ISAPNP_DRV
dvi: Rank - 0x00ff2001
dvi: Signer Score - WHQL
dvi: DrvDate - 10/03/2016
dvi: Version - 10.1.1.38
dvi: {Build Driver List - exit(0x00000000)} 20:13:01.731
dvi: {DIF_SELECTBESTCOMPATDRV} 20:13:01.731
dvi: Default installer: Enter 20:13:01.735
dvi: {Select Best Driver}
dvi: Class GUID of device changed to: {4d36e97d-e325-11ce-bfc1-08002be10318}.
dvi: Selected Driver:
dvi: Description - Intel(R) QM87 LPC Controller - 8C4F
dvi: InfFile - c:\windows\system32\driverstore\filerepository\lynxpointsystem.inf_amd64_cd1e518d883ecdfe\lynxpointsystem.inf
dvi: Section - Needs_ISAPNP_DRV
dvi: {Select Best Driver - exit(0x00000000)}
dvi: Default installer: Exit
dvi: {DIF_SELECTBESTCOMPATDRV - exit(0x00000000)} 20:13:01.743
ndv: Currently Installed Driver:
ndv: Inf Name - oem1.inf
ndv: Driver Date - 10/03/2016
ndv: Driver Version - 10.1.1.38
ndv: {Update Device Driver - exit(00000103)}
! ndv: No better matching drivers found for device 'PCI\VEN_8086&DEV_8C4F&SUBSYS_05BE1028&REV_04\3&11583659&0&F8'.
! ndv: No devices were updated.
<<< Section end 2019/09/26 20:13:01.759
<<< [Exit status: FAILURE(0xC1900101)]
```
This analysis indicates that the Windows upgrade error can be resolved by deleting the `C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]` file.
> [!NOTE]
>
> In this example, the full file name is `C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\be8228fb2d3cb6c6b0ccd9ad51b320b4_a43d512c-69f2-42de-aef9-7a88fabdaa3f`.
## Related articles
- [Fix Windows Update errors by using the DISM or System Update Readiness tool](/troubleshoot/windows-server/deployment/fix-windows-update-errors).
---
title: Log files and resolving upgrade errors
description: Learn how to interpret and analyze the log files that are generated during the Windows upgrade process.
ms.service: windows-client
author: frankroj
manager: aaroncz
ms.author: frankroj
ms.localizationpriority: medium
ms.topic: troubleshooting
ms.collection:
- highpri
- tier2
ms.subservice: itpro-deploy
ms.date: 04/08/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Windows upgrade log files
> [!NOTE]
>
> This article is a 400-level article (advanced).
>
> See [Resolve Windows upgrade errors](resolve-windows-upgrade-errors.md) for a full list of articles in this section.
Several log files are created during each phase of the upgrade process. These log files are essential for troubleshooting upgrade problems. By default, the folders that contain these log files are hidden on the upgrade target computer. To view the log files, configure Windows Explorer to view hidden items, or use a tool to automatically gather these logs. The most useful log is **setupact.log**. The log files are located in a different folder depending on the Windows Setup phase. Recall that the phase can be determined from the [extend code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes).
> [!NOTE]
>
> Also see the [Windows Error Reporting](windows-error-reporting.md) article in this section for help with locating error codes and log files.
The following table describes some log files and how to use them for troubleshooting purposes:
|Log file |Phase: Location |Description |When to use|
|---|---|---|---|
|**setupact.log**|Down-Level:<br>$Windows.~BT\Sources\Panther|Contains information about setup actions during the downlevel phase. |All downlevel failures and starting point for rollback investigations.<br> Setup.act is the most important log for diagnosing setup issues.|
|**setupact.log**|Out of box experience (OOBE):<br>$Windows.~BT\Sources\Panther\UnattendGC|Contains information about actions during the OOBE phase.|Investigating rollbacks that failed during OOBE phase and operations - 0x4001C, 0x4001D, 0x4001E, 0x4001F.|
|**setupact.log**|Rollback:<br>$Windows.~BT\Sources\Rollback|Contains information about actions during rollback.|Investigating generic rollbacks - 0xC1900101.|
|**setupact.log**|Pre-initialization (before downlevel):<br>Windows|Contains information about initializing setup.|If setup fails to launch.|
|**setupact.log**|Post-upgrade (after OOBE):<br>Windows\Panther|Contains information about setup actions during the installation.|Investigate post-upgrade related issues.|
|**setuperr.log**|Same as setupact.log|Contains information about setup errors during the installation.|Review all errors encountered during the installation phase.|
|**miglog.xml**|Post-upgrade (after OOBE):<br>Windows\Panther|Contains information about what was migrated during the installation.|Identify post upgrade data migration issues.|
|**BlueBox.log**|Down-Level:<br>Windows\Logs\Mosetup|Contains information communication between `setup.exe` and Windows Update.|Use during WSUS and Windows Update downlevel failures or for 0xC1900107.|
|Supplemental rollback logs:<br>**Setupmem.dmp**<br>**setupapi.dev.log**<br>Event logs (*.evtx)|$Windows.~BT\Sources\Rollback|Additional logs collected during rollback.|Setupmem.dmp: If OS bug checks during upgrade, setup attempts to extract a mini-dump.<br>Setupapi: Device install issues - 0x30018<br>Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.|
## Log entry structure
A `setupact.log` or `setuperr.log` entry includes the following elements:
1. **The date and time** - 2023-09-08 09:20:05
1. **The log level** - Info, Warning, Error, Fatal Error
1. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS
The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are useful for troubleshooting Windows Setup errors.
1. **The message** - Operation completed successfully.
See the following example:
| Date/Time | Log level | Component | Message |
|------|------------|------------|------------|
|2023-09-08 09:23:50,| Warning | MIG | Couldn't replace object C:\Users\name\Cookies. Target Object can't be removed.|
## Analyze log files
The following instructions are meant for IT professionals. To become more familiar with [result codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes) and [extend codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes), see the article [Upgrade error codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json).
To analyze Windows Setup log files:
1. Determine the Windows Setup error code. Windows Setup should return an error code if it isn't successful with the upgrade process.
1. Based on the [extend code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes) portion of the error code, determine the type and location of a log file to investigate.
1. Open the log file in a text editor, such as Notepad.
1. Using the [result code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes) portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below.
1. To find the last occurrence of the result code:
1. Scroll to the bottom of the file and select after the last character.
1. Select **Edit**.
1. Select **Find**.
1. Type the result code.
1. Under **Direction** select **Up**.
1. Select **Find Next**.
1. When the last occurrence of the result code is located, scroll up a few lines from this location in the file and review the processes that failed before generating the result code.
1. Search for the following important text strings:
- `Shell application requested abort`
- `Abandoning apply due to error for object`
1. Decode Win32 errors that appear in this section.
1. Write down the timestamp for the observed errors in this section.
1. Search other log files for additional information matching these timestamps or errors.
For example, assume that the error code for an error is **0x8007042B - 0x2000D**. Searching for **8007042B** reveals the following content from the `setuperr.log` file:
> [!NOTE]
>
> Some lines in the following text are shortened to enhance readability. For example
>
> - The date and time at the start of each line (ex: 2023-10-05 15:27:08) is shortened to minutes and seconds
> - The certificate file name, which is a long text string, is shortened to just "CN."
**setuperr.log** content:
```console
27:08, Error SP Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
27:08, Error MIG Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
27:08, Error Gather failed. Last error: 0x00000000
27:08, Error SP SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
27:09, Error SP CMigrateFramework: Gather framework failed. Status: 44
27:09, Error SP Operation failed: Migrate framework (Full). Error: 0x8007042B[gle=0x000000b7]
27:09, Error SP Operation execution failed: 13. hr = 0x8007042B[gle=0x000000b7]
27:09, Error SP CSetupPlatformPrivate::Execute: Execution of operations queue failed, abandoning. Error: 0x8007042B[gle=0x000000b7]
```
The first line indicates there was an error **0x00000570** with the file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]**:
```console
27:08, Error SP Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
```
The error **0x00000570** is a [Win32 error code](/openspecs/windows_protocols/ms-erref/18d8fbe8-a967-4f1c-ae50-99ca8e491d2d) corresponding to: **ERROR_FILE_CORRUPT: The file or directory is corrupted and unreadable**.
Therefore, Windows Setup failed because it wasn't able to migrate the corrupt file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]**. This file is a local system certificate and can be safely deleted. After the `setupact.log` file is searched for more details, the phrase **Shell application requested abort** is found in a location with the same timestamp as the lines in `setuperr.log`. This analysis confirms the suspicion that this file is the cause of the upgrade failure:
**setupact.log** content:
```console
27:00, Info Gather started at 10/5/2023 23:27:00
27:00, Info [0x080489] MIG Setting system object filter context (System)
27:00, Info [0x0803e5] MIG Not unmapping HKCU\Software\Classes; it is not mapped
27:00, Info [0x0803e5] MIG Not unmapping HKCU; it is not mapped
27:00, Info SP ExecuteProgress: Elapsed events:1 of 4, Percent: 12
27:00, Info [0x0802c6] MIG Processing GATHER for migration unit: &lt;System&gt;\UpgradeFramework (CMXEAgent)
27:08, Error SP Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
27:08, Error MIG Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
27:08, Info SP ExecuteProgress: Elapsed events:2 of 4, Percent: 25
27:08, Info SP ExecuteProgress: Elapsed events:3 of 4, Percent: 37
27:08, Info [0x080489] MIG Setting system object filter context (System)
27:08, Info [0x0803e5] MIG Not unmapping HKCU\Software\Classes; it is not mapped
27:08, Info [0x0803e5] MIG Not unmapping HKCU; it is not mapped
27:08, Info MIG COutOfProcPluginFactory::FreeSurrogateHost: Shutdown in progress.
27:08, Info MIG COutOfProcPluginFactory::LaunchSurrogateHost::CommandLine: -shortened-
27:08, Info MIG COutOfProcPluginFactory::LaunchSurrogateHost: Successfully launched host and got control object.
27:08, Error Gather failed. Last error: 0x00000000
27:08, Info Gather ended at 10/5/2023 23:27:08 with result 44
27:08, Info Leaving MigGather method
27:08, Error SP SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
```
**setupapi.dev.log** content:
```console
>>> [Device Install (UpdateDriverForPlugAndPlayDevices) - PCI\VEN_8086&DEV_8C4F]
>>> Section start 2023/09/26 20:13:01.623
cmd: rundll32.exe "C:\WINDOWS\Installer\MSI6E4C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_95972906 484 ChipsetWiX.CustomAction!Intel.Deployment.ChipsetWiX.CustomActions.InstallDrivers
ndv: INF path: C:\WINDOWS\TEMP\{15B1CD41-69F5-48EA-9F45-0560A40FE2D8}\Drivers\lynxpoint\LynxPointSystem.inf
ndv: Install flags: 0x00000000
ndv: {Update Device Driver - PCI\VEN_8086&DEV_8C4F&SUBSYS_05BE1028&REV_04\3&11583659&0&F8}
ndv: Search options: 0x00000081
ndv: Searching single INF 'C:\WINDOWS\TEMP\{15B1CD41-69F5-48EA-9F45-0560A40FE2D8}\Drivers\lynxpoint\LynxPointSystem.inf'
dvi: {Build Driver List} 20:13:01.643
dvi: Searching for hardware ID(s):
dvi: pci\ven_8086&dev_8c4f&subsys_05be1028&rev_04
dvi: pci\ven_8086&dev_8c4f&subsys_05be1028
dvi: pci\ven_8086&dev_8c4f&cc_060100
dvi: pci\ven_8086&dev_8c4f&cc_0601
dvi: Searching for compatible ID(s):
dvi: pci\ven_8086&dev_8c4f&rev_04
dvi: pci\ven_8086&dev_8c4f
dvi: pci\ven_8086&cc_060100
dvi: pci\ven_8086&cc_0601
dvi: pci\ven_8086
dvi: pci\cc_060100
dvi: pci\cc_0601
sig: {_VERIFY_FILE_SIGNATURE} 20:13:01.667
sig: Key = lynxpointsystem.inf
sig: FilePath = c:\windows\temp\{15b1cd41-69f5-48ea-9f45-0560a40fe2d8}\drivers\lynxpoint\lynxpointsystem.inf
sig: Catalog = c:\windows\temp\{15b1cd41-69f5-48ea-9f45-0560a40fe2d8}\drivers\lynxpoint\LynxPoint.cat
sig: Success: File is signed in catalog.
sig: {_VERIFY_FILE_SIGNATURE exit(0x00000000)} 20:13:01.683
dvi: Created Driver Node:
dvi: HardwareID - PCI\VEN_8086&DEV_8C4F
dvi: InfName - c:\windows\temp\{15b1cd41-69f5-48ea-9f45-0560a40fe2d8}\drivers\lynxpoint\lynxpointsystem.inf
dvi: DevDesc - Intel(R) QM87 LPC Controller - 8C4F
dvi: Section - Needs_ISAPNP_DRV
dvi: Rank - 0x00ff2001
dvi: Signer Score - WHQL
dvi: DrvDate - 04/04/2016
dvi: Version - 10.1.1.18
dvi: {Build Driver List - exit(0x00000000)} 20:13:01.699
ndv: Searching currently installed INF
dvi: {Build Driver List} 20:13:01.699
dvi: Searching for hardware ID(s):
dvi: pci\ven_8086&dev_8c4f&subsys_05be1028&rev_04
dvi: pci\ven_8086&dev_8c4f&subsys_05be1028
dvi: pci\ven_8086&dev_8c4f&cc_060100
dvi: pci\ven_8086&dev_8c4f&cc_0601
dvi: Searching for compatible ID(s):
dvi: pci\ven_8086&dev_8c4f&rev_04
dvi: pci\ven_8086&dev_8c4f
dvi: pci\ven_8086&cc_060100
dvi: pci\ven_8086&cc_0601
dvi: pci\ven_8086
dvi: pci\cc_060100
dvi: pci\cc_0601
dvi: Created Driver Node:
dvi: HardwareID - PCI\VEN_8086&DEV_8C4F
dvi: InfName - C:\WINDOWS\System32\DriverStore\FileRepository\lynxpointsystem.inf_amd64_cd1e518d883ecdfe\lynxpointsystem.inf
dvi: DevDesc - Intel(R) QM87 LPC Controller - 8C4F
dvi: Section - Needs_ISAPNP_DRV
dvi: Rank - 0x00ff2001
dvi: Signer Score - WHQL
dvi: DrvDate - 10/03/2016
dvi: Version - 10.1.1.38
dvi: {Build Driver List - exit(0x00000000)} 20:13:01.731
dvi: {DIF_SELECTBESTCOMPATDRV} 20:13:01.731
dvi: Default installer: Enter 20:13:01.735
dvi: {Select Best Driver}
dvi: Class GUID of device changed to: {4d36e97d-e325-11ce-bfc1-08002be10318}.
dvi: Selected Driver:
dvi: Description - Intel(R) QM87 LPC Controller - 8C4F
dvi: InfFile - c:\windows\system32\driverstore\filerepository\lynxpointsystem.inf_amd64_cd1e518d883ecdfe\lynxpointsystem.inf
dvi: Section - Needs_ISAPNP_DRV
dvi: {Select Best Driver - exit(0x00000000)}
dvi: Default installer: Exit
dvi: {DIF_SELECTBESTCOMPATDRV - exit(0x00000000)} 20:13:01.743
ndv: Currently Installed Driver:
ndv: Inf Name - oem1.inf
ndv: Driver Date - 10/03/2016
ndv: Driver Version - 10.1.1.38
ndv: {Update Device Driver - exit(00000103)}
! ndv: No better matching drivers found for device 'PCI\VEN_8086&DEV_8C4F&SUBSYS_05BE1028&REV_04\3&11583659&0&F8'.
! ndv: No devices were updated.
<<< Section end 2019/09/26 20:13:01.759
<<< [Exit status: FAILURE(0xC1900101)]
```
This analysis indicates that the Windows upgrade error can be resolved by deleting the `C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]` file.
> [!NOTE]
>
> In this example, the full file name is `C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\be8228fb2d3cb6c6b0ccd9ad51b320b4_a43d512c-69f2-42de-aef9-7a88fabdaa3f`.
## Related articles
- [Fix Windows Update errors by using the DISM or System Update Readiness tool](/troubleshoot/windows-server/deployment/fix-windows-update-errors).

18
windows/deployment/upgrade/resolve-windows-upgrade-errors.md
View File

@ -8,7 +8,7 @@ ms.localizationpriority: medium
ms.topic: troubleshooting-general
ms.service: windows-client
ms.subservice: itpro-deploy
ms.date: 01/29/2025
ms.date: 04/08/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
@ -35,22 +35,22 @@ The following four levels are assigned:
See the following articles in this section:
- [Quick fixes](/troubleshoot/windows-client/deployment/windows-10-upgrade-quick-fixes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): \Level 100\ Steps to take to eliminate many Windows upgrade errors.
- [SetupDiag](setupdiag.md): \Level 300\ SetupDiag is a new tool to help isolate the root cause of an upgrade failure.
- [Troubleshooting upgrade errors](/troubleshoot/windows-client/deployment/windows-10-upgrade-issues-troubleshooting?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): \Level 300\ General advice and techniques for troubleshooting Windows upgrade errors, and an explanation of phases used during the upgrade process.
- [Windows Error Reporting](windows-error-reporting.md): \Level 300\ How to use Event Viewer to review details about a Windows upgrade.
- [Upgrade error codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): \Level 400\ The components of an error code are explained.
- [Quick fixes](/troubleshoot/windows-client/deployment/windows-10-upgrade-quick-fixes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): (Level 100) Steps to take to eliminate many Windows upgrade errors.
- [SetupDiag](setupdiag.md): (Level 300) SetupDiag is a new tool to help isolate the root cause of an upgrade failure.
- [Troubleshooting upgrade errors](/troubleshoot/windows-client/deployment/windows-10-upgrade-issues-troubleshooting?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): (Level 300) General advice and techniques for troubleshooting Windows upgrade errors, and an explanation of phases used during the upgrade process.
- [Windows Error Reporting](windows-error-reporting.md): (Level 300) How to use Event Viewer to review details about a Windows upgrade.
- [Upgrade error codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): (Level 400) The components of an error code are explained.
- [Result codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes): Information about result codes.
- [Extend codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes): Information about extend codes.
- [Log files](log-files.md): \Level 400\ A list and description of log files useful for troubleshooting.
- [Log files](log-files.md): (Level 400) A list and description of log files useful for troubleshooting.
- [Log entry structure](log-files.md#log-entry-structure): The format of a log entry is described.
- [Analyze log files](log-files.md#analyze-log-files): General procedures for log file analysis, and an example.
- [Resolution procedures](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): \Level 200\ Causes and mitigation procedures associated with specific error codes.
- [Resolution procedures](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): (Level 200) Causes and mitigation procedures associated with specific error codes.
- [0xC1900101](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#0xc1900101): Information about the 0xC1900101 result code.
- [0x800xxxxx](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#0x800xxxxx): Information about result codes that start with 0x800.
- [Other result codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#other-result-codes): Additional causes and mitigation procedures are provided for some result codes.
- [Other error codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#other-error-codes): Additional causes and mitigation procedures are provided for some error codes.
- [Submit Windows upgrade errors](submit-errors.md): \Level 100\ Submit upgrade errors to Microsoft for analysis.
- [Submit Windows upgrade errors](submit-errors.md): (Level 100) Submit upgrade errors to Microsoft for analysis.
## Related articles

178
windows/deployment/upgrade/setupdiag.md
View File

@ -12,7 +12,7 @@ ms.topic: troubleshooting
ms.collection:
- highpri
- tier2
ms.date: 03/27/2025
ms.date: 04/08/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
@ -24,14 +24,15 @@ appliesto:
>
> This article is a 300 level article (moderate advanced). See [Resolve Windows upgrade errors](resolve-windows-upgrade-errors.md) for a full list of articles in this section.
> [!div class="nextstepaction"]
> [Download the latest version of SetupDiag](https://go.microsoft.com/fwlink/?linkid=870142)
## About SetupDiag
> [!IMPORTANT]
>
> When SetupDiag is run manually, Microsoft recommends running the latest version of SetupDiag. The latest version is available via the following [download link](https://go.microsoft.com/fwlink/?linkid=870142). Running the latest version ensures the latest functionality and fixes known issues.
> When SetupDiag is run manually, Microsoft recommends running the latest version of SetupDiag. The latest version is available via the following link:
>
> [Download the latest version of SetupDiag](https://go.microsoft.com/fwlink/?linkid=870142)
>
> Running the latest version ensures the latest functionality and fixes known issues.
SetupDiag is a diagnostic tool that can be used to obtain details about why a Windows upgrade was unsuccessful.
@ -39,14 +40,14 @@ SetupDiag works by examining Windows Setup log files. It attempts to parse these
SetupDiag is included with [Windows Setup](/windows-hardware/manufacture/desktop/deployment-troubleshooting-and-log-files#windows-setup-scenario) in all currently supported versions of Windows.
During the upgrade process, Windows Setup extracts all its sources files, including **SetupDiag.exe**, to the **%SystemDrive%\$Windows.~bt\Sources** directory. If there's an issue with the upgrade, SetupDiag automatically runs to determine the cause of the failure.
During the upgrade process, Windows Setup extracts all its source files, including `SetupDiag.exe`, to the `%SystemDrive%\$Windows.~bt\Sources` directory. If there's an issue with the upgrade, SetupDiag automatically runs to determine the cause of the failure.
When run by Windows Setup, the following [parameters](#parameters) are used:
- /ZipLogs:False
- /Format:xml
- /Output:%windir%\logs\SetupDiag\SetupDiagResults.xml
- /RegPath:HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupDiag\Results
- `/ZipLogs:False`
- `/Format:xml`
- `/Output:%windir%\logs\SetupDiag\SetupDiagResults.xml`
- `/RegPath:HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupDiag\Results`
The resulting SetupDiag analysis can be found at `%WinDir%\Logs\SetupDiag\SetupDiagResults.xml` and in the registry under `HKLM\SYSTEM\Setup\SetupDiag\Results`.
@ -58,7 +59,11 @@ The resulting SetupDiag analysis can be found at `%WinDir%\Logs\SetupDiag\SetupD
>
> When SetupDiag indicates that there were multiple failures, the last failure in the log file is typically the fatal error, not the first one.
If the upgrade process proceeds normally, the **Sources** directory including **SetupDiag.exe** is moved under **%SystemDrive%\Windows.Old** for cleanup. If the **Windows.old** directory is deleted later, **SetupDiag.exe** is also removed.
If the upgrade process proceeds normally, the `Sources` directory including `SetupDiag.exe` is moved under `%SystemDrive%\Windows.Old` for cleanup. If the `Windows.old` directory is deleted later, `SetupDiag.exe` is also removed.
> [!TIP]
>
> If `SetupDiag.exe` is needed after the `Windows.old` directory is deleted, it can be downloaded from the [Microsoft Download Center](https://go.microsoft.com/fwlink/?linkid=870142).
## Requirements
@ -81,50 +86,52 @@ If the upgrade process proceeds normally, the **Sources** directory including **
## Using SetupDiag
To quickly use SetupDiag on the current computer:
To use SetupDiag:
1. Verify that the system meets the [requirements](#requirements).
1. [Download SetupDiag](https://go.microsoft.com/fwlink/?linkid=870142).
1. [Download](https://go.microsoft.com/fwlink/?linkid=870142) the latest version of SetupDiag.
1. If the web browser asks what to do with the file, choose **Save**. By default, the file is saved to the **Downloads** folder. If desired, the file can also be saved to a different location by using **Save As**.
1. If the web browser asks what to do with the file, choose **Save**. By default, the file is saved to the **Downloads** folder, which is displayed in File Explorer under **Quick access** in the left navigation pane. If desired, the file can also be saved to a different location by using **Save As**.
1. When SetupDiag finishes downloading, open the folder where the file was downloaded. By default, this folder is the **Downloads** folder, which is displayed in File Explorer under **Quick access** in the left navigation pane.
1. Once SetupDiag finishes downloading, open an elevated command prompt and navigate to the directory where `setupdiag.exe` was downloaded and saved to.
1. Double-click the **SetupDiag** file to run it. Select **Yes** if asked to approve running the program.
1. In the elevated command prompt, run `setupdiage.exe` in online mode using the desired parameters as documented in the [Parameters](#parameters) and [Examples](#examples) sections.
Double-clicking the file to run it automatically closes the command window when SetupDiag completes its analysis. To instead keep the window open to review the messages SetupDiag generates, run the program by typing **SetupDiag** at the command prompt instead of double-clicking it. When running from a command prompt, make sure to change directories to where SetupDiag is located.
1. Wait for SetupDiag to finish.
1. A command window opens while SetupDiag diagnoses the computer. Wait for this process to finish.
1. When SetupDiag finishes, two files are created in the same folder where SetupDiag was run from. One is a configuration file, the other is a log file.
1. When SetupDiag finishes, two files are created in the same folder where SetupDiag was run from:
- A configuration file.
- A log file.
1. Use Notepad to open the log file **SetupDiagResults.log**.
1. Review the information that is displayed. If a rule was matched, this information can say why the computer failed to upgrade, and potentially how to fix the problem. See the section [Text log sample](#text-log-sample).
For instructions on how to run the tool in offline mode and with more advanced options, see the sections [Parameters](#parameters) and [Examples](#examples).
> [!TIP]
>
> For instructions on how to run the tool in offline mode in Windows PE, see the sections [Parameters](#parameters) and [Examples](#examples).
## Parameters
| Parameter | Description |
| --- | --- |
| **/?** | Displays interactive help |
| **/Output:\[Full path and file name for output log file\]** | This optional parameter specifies the name and location for the results log file. The output file contains the analysis from SetupDiag. Only text format output is supported. UNC paths work provided the context under which SetupDiag runs has access to the UNC path. If the path has a space in it, the entire path must be enclosed in double quotes (**"**). See the [Examples](#examples) sections for an example. <br><br> Default: If not specified, SetupDiag creates the file **SetupDiagResults.log** in the same directory where **SetupDiag.exe** is run. |
| **/LogsPath:\[Full path to logs\]** | This optional parameter specifies the location of logs to parse and where to find the log files for an offline analysis. These log files can be in a flat folder format, or containing multiple subdirectories. SetupDiag recursively searches all child directories. Defaults to checking the current system for logs. |
| **/?** | Displays help information |
| **/Output:\[Full path and file name for output log file\]** | This optional parameter specifies the name and location for the results log file. The output file contains the analysis from SetupDiag. Only text format output is supported. UNC paths work provided the context under which SetupDiag runs has access to the UNC path. If the path has a space in it, the entire path must be enclosed in double quotes (**"**). See the [Examples](#examples) sections for an example. <br><br> Default: If not specified, SetupDiag creates the file **SetupDiagResults.log** in the same directory where **SetupDiag.exe** is run. |
| **/LogsPath:\[Full path to logs\]** | This optional parameter specifies the location of logs to parse and where to find the log files for an offline analysis. These log files can be in a flat folder format, or containing multiple subdirectories. SetupDiag recursively searches all child directories. Defaults to checking the current system for logs. |
| **/ZipLogs:\[True \| False\]** | This optional parameter Tells **SetupDiag.exe** to create a zip file containing the results and all the log files that were parsed. The zip file is created in the same directory where **SetupDiag.exe** is run. <br><br> Default: If not specified, a value of 'true' is used. |
| **/Format:\[xml \| json\]** | This optional parameter specifies the output format for log files to be XML or JSON. If this parameter isn't specified, text format is used by default. |
| **/Format:\[xml \| json\]** | This optional parameter specifies the output format for log files to be XML or JSON. If this parameter isn't specified, text format is used by default. |
| **/Scenario:\[Recovery \| Debug\]** | This optional parameter can do one of the following two items based on the argument used: <br><br> <ul><li>Recovery instructs **SetupDiag.exe** to look for and process reset and recovery logs and ignore setup/upgrade logs.</li><li>Debug instructs **SetupDiag.exe** to debug memory dumps if the requisite debug binaries are installed.</li></ul> |
| **/Verbose** | This optional parameter creates a diagnostic log in the current directory, with debugging information, additional data, and details about SetupDiag. By default, SetupDiag only produces a log file entry for major errors. Using **/Verbose** causes SetupDiag to always produce another log file with debugging details. These details can be useful when reporting a problem with SetupDiag. |
| **/Verbose** | This optional parameter creates a diagnostic log in the current directory, with debugging information, additional data, and details about SetupDiag. By default, SetupDiag only produces a log file entry for major errors. Using **/Verbose** causes SetupDiag to always produce another log file with debugging details. These details can be useful when reporting a problem with SetupDiag. |
| **/NoTel** | This optional parameter tells **SetupDiag.exe** not to send diagnostic telemetry to Microsoft. |
| **/RegPath** | This optional parameter Instructs **SetupDiag.exe** to add failure information to the registry under the given path. Registry paths should start with **HKEY_LOCAL_MACHINE** or **HKEY_CURRENT_USER** and be accessible at the elevation level SetupDiag is executed under. If this parameter isn't specified, the default path is **HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag**. |
| **/AddReg** | This optional parameter Instructs **SetupDiag.exe** to add failure information to the registry on the executing system in offline mode. SetupDiag by default adds failure information to the registry in Online mode only. Registry data goes to **HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile\SetupDiag** unless otherwise specified. |
| **/RegPath** | This optional parameter Instructs **SetupDiag.exe** to add failure information to the registry under the given path. Registry paths should start with **HKEY_LOCAL_MACHINE** or **HKEY_CURRENT_USER** and be accessible at the elevation level SetupDiag is executed under. If this parameter isn't specified, the default path is `HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag`. |
| **/AddReg** | This optional parameter Instructs **SetupDiag.exe** to add failure information to the registry on the executing system in offline mode. SetupDiag by default adds failure information to the registry in Online mode only. Registry data goes to `HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile\SetupDiag` unless otherwise specified. |
> [!NOTE]
>
> The **/Mode** parameter is deprecated in SetupDiag.
>
> In previous versions, this command was used with the LogsPath parameter to specify that SetupDiag should run in an offline manner to analyze a set of log files that were captured from a different computer. In current versions of SetupDiag, when /LogsPath is specified then SetupDiag automatically runs in offline mode, therefore the /Mode parameter isn't needed.
> In previous versions, the **/Mode** parameter was used with the **/LogsPath** parameter in offline mode and would analyze a set of log files that were captured on a different computer. In current versions of SetupDiag, when **/LogsPath** is specified, then SetupDiag automatically runs in offline mode, therefore the **/Mode** parameter isn't needed.
### Examples
@ -132,13 +139,13 @@ For instructions on how to run the tool in offline mode and with more advanced o
>
> **SetupDiage.exe** should be run from an elevated command prompt for it to work properly.
- In the following example, SetupDiag is run without parameters and it displays interactive help.
- In the following example, SetupDiag is run without parameters and it displays help information.
```cmd
SetupDiag.exe
```
- In the following example, SetupDiag is run in online mode (this mode is the default). It knows where to look for logs on the current (failing) system, so there's no need to gather logs ahead of time. A custom location for results is specified.
- In the following example, SetupDiag is run in online mode (this mode is the default). It knows where to look for logs on the current (failing) system, so there's no need to gather logs ahead of time. A custom location for results is specified.
```cmd
SetupDiag.exe /Output:C:\SetupDiag\Results.log
@ -156,13 +163,12 @@ For instructions on how to run the tool in offline mode and with more advanced o
SetupDiag.exe /Output:C:\SetupDiag\Results.log /LogsPath:D:\Temp\Logs\LogSet1
```
- The following example sets recovery scenario in offline mode. In the example, SetupDiag searches for reset/recovery logs in the specified LogsPath location and output the results to the directory specified by the **/Output** parameter.
- The following is an example of Reset/Recovery Offline Mode. SetupDiag is instructed to look for reset/recovery logs in the specified LogsPath location. It then outputs the results to the directory specified by the **/Output** parameter.
```cmd
SetupDiag.exe /Output:C:\SetupDiag\RecoveryResults.log /LogsPath:D:\Temp\Cabs\PBR_Log /Scenario:Recovery
```
- The following example sets recovery scenario in online mode. In the example, SetupDiag searches for reset/recovery logs on the current system and output results in XML format.
- The following example is an example of Reset/Recovery Online Mode. SetupDiag is instructed to look for reset/recovery logs on the current system and output its results in XML format.
```cmd
SetupDiag.exe /Scenario:Recovery /Format:xml
@ -180,24 +186,6 @@ For instructions on how to run the tool in offline mode and with more advanced o
SetupDiag.exe /Output:C:\SetupDiag\Results.xml /Format:xml
```
- The following example is an example of Online Mode where no parameters are needed or used. SetupDiag is instructed to look for setup/upgrade logs on the current system and output the results to the same directory where SetupDiag is located.
```cmd
SetupDiag.exe
```
- The following example is an example of Reset/Recovery Offline Mode. SetupDiag is instructed to look for reset/recovery logs in the specified LogsPath location. It then outputs the results to the directory specified by the **/Output** parameter.
```cmd
SetupDiag.exe /Output:C:\SetupDiag\RecoveryResults.log /LogsPath:D:\Temp\Cabs\PBR_Log /Scenario:Recovery
```
- The following example is an example of Reset/Recovery Online Mode. SetupDiag is instructed to look for reset/recovery logs on the current system and output its results in XML format.
```cmd
SetupDiag.exe /Scenario:Recovery /Format:xml
```
## Log files
[Windows Setup Log Files and Event Logs](/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs) has information about where logs are created during Windows Setup. For offline processing, SetupDiag should be run against the contents of the entire folder. For example, depending on when the upgrade failed, copy one of the following folders to the offline location:
@ -225,7 +213,7 @@ To debug a setup-related bug check:
- Install the [Windows Debugging Tools](/windows-hardware/drivers/debugger/debugger-download-tools) on the computer that runs SetupDiag.
In the following example, the `setupmem.dmp` file is copied to the `D:\Dump` directory and the Windows Debugging Tools are installed prior to running SetupDiag:
In the following example, the `setupmem.dmp` file is copied to the `D:\Dump` directory and the Windows Debugging Tools are installed before running SetupDiag:
```cmd
SetupDiag.exe /Output:C:\SetupDiag\Dumpdebug.log /LogsPath:D:\Dump
@ -276,75 +264,75 @@ Logs ZipFile created at: c:\setupdiag\Logs_14.zip
When SetupDiag searches log files, it uses a set of rules to match known issues. These rules are contained in an xml file. The xml file might be updated with new and updated rules as new versions of SetupDiag are made available.
Each rule name and its associated unique rule identifier are listed with a description of the known upgrade-blocking issue. In the rule descriptions, the term **down-level** refers to the first phase of the upgrade process, which runs under the original OS.
Each rule name and its associated unique rule identifier are listed with a description of the known upgrade-blocking issue. In the rule descriptions, the term **downlevel** refers to the first phase of the upgrade process, which runs under the original OS.
| Rule Name | GUID | Description |
| --- | --- |
| **CompatScanOnly** | FFDAFD37-DB75-498A-A893-472D49A1311D | This rule indicates that `setup.exe` was called with a specific command line parameter that indicated setup was to do a compatibility scan only, not an upgrade. |
| **PlugInComplianceBlock** | D912150B-1302-4860-91B5-527907D08960 | Detects all compatibility blocks from Server compliance plug-ins. This rule is for server upgrades only. It outputs the compliance block and remediation required. |
| **BitLockerHardblock** | C30152E2-938E-44B8-915B-D1181BA635AE | This block is an upgrade block when the target OS doesn't support BitLocker, yet the host OS has BitLocker enabled. |
| **VHDHardblock** | D9ED1B82-4ED8-4DFD-8EC0-BE69048978CC | This block happens when the host OS is booted to a VHD image. Upgrade isn't supported when the host OS is booted from a VHD image. |
| **PortableWorkspaceHardblock** | 5B0D3AB4-212A-4CE4-BDB9-37CA404BB280 | This block indicates that the host OS is booted from a Windows To-Go device (USB key). Upgrade isn't supported in the Windows To-Go environment. |
| **AuditModeHardblock** | A03BD71B-487B-4ACA-83A0-735B0F3F1A90 | This block indicates that the host OS is currently booted into Audit Mode, a special mode for modifying the Windows state. Upgrade isn't supported from this state. |
| **VHDHardblock** | D9ED1B82-4ED8-4DFD-8EC0-BE69048978CC | This block happens when the host OS is booted to a VHD image. Upgrade isn't supported when the host OS is booted from a VHD image. |
| **PortableWorkspaceHardblock** | 5B0D3AB4-212A-4CE4-BDB9-37CA404BB280 | This block indicates that the host OS is booted from a Windows To-Go device (USB key. Upgrade isn't supported in the Windows To-Go environment. |
| **AuditModeHardblock** | A03BD71B-487B-4ACA-83A0-735B0F3F1A90 | This block indicates that the host OS is currently booted into Audit Mode, a special mode for modifying the Windows state. Upgrade isn't supported from this state. |
| **SafeModeHardblock** | 404D9523-B7A8-4203-90AF-5FBB05B6579B | This block indicates that the host OS is booted to Safe Mode, where upgrade isn't supported. |
| **InsufficientSystemPartitionDiskSpaceHardblock** | 3789FBF8-E177-437D-B1E3-D38B4C4269D1 | This block is encountered when setup determines the system partition doesn't have enough space to be serviced with the newer boot files required during the upgrade process. The system partition is where the boot loader files are stored |
| **CompatBlockedApplicationAutoUninstall** | BEBA5BC6-6150-413E-8ACE-5E1EC8D34DD5 | This rule indicates there's an application that needs to be uninstalled before setup can continue. |
| **CompatBlockedApplicationDismissable** | EA52620B-E6A0-4BBC-882E-0686605736D9 | When setup is run in **/quiet** mode, there are dismissible application messages that turn into blocks unless the command line also specifies **/compat ignorewarning**. This rule indicates setup was executed in **/quiet** mode but there's an application dismissible block message that prevented setup from continuing. |
| **CompatBlockedFODDismissable** | 7B693C42-793E-4E9E-A10B-ED0F33D45E2A | When setup is run in **/quiet** mode, there are dismissible Feature On Demand messages that turn into blocks unless the command line also specifies **/compat ignorewarning**. This rule indicates setup was executed in **/quiet** mode but there's a Feature On Demand dismissible block message that prevented setup from continuing, usually that the target OS image is missing a Feature On Demand that is installed in the current OS. Removal of the Feature On Demand in the current OS should also resolve the issue.
| **CompatBlockedApplicationManualUninstall** | 9E912E5F-25A5-4FC0-BEC1-CA0EA5432FF4 | This rule indicates that an application without an Add/Remove Programs entry, is present on the system and blocking setup from continuing. This block typically requires manual removal of the files associated with this application to continue. |
| **CompatBlockedApplicationDismissable** | EA52620B-E6A0-4BBC-882E-0686605736D9 | When setup is run in **/quiet** mode, there are dismissible application messages that turn into blocks unless the command line also specifies **/compat ignorewarning**. This rule indicates setup was executed in **/quiet** mode but there's an application dismissible block message that prevented setup from continuing. |
| **CompatBlockedFODDismissable** | 7B693C42-793E-4E9E-A10B-ED0F33D45E2A | When setup is run in **/quiet** mode, there are dismissible Feature On Demand messages that turn into blocks unless the command line also specifies **/compat ignorewarning**. This rule indicates setup was executed in **/quiet** mode but there's a Feature On Demand dismissible block message that prevented setup from continuing, usually that the target OS image is missing a Feature On Demand that is installed in the current OS. Removal of the Feature On Demand in the current OS should also resolve the issue.
| **CompatBlockedApplicationManualUninstall** | 9E912E5F-25A5-4FC0-BEC1-CA0EA5432FF4 | This rule indicates that an application without an Add/Remove Programs entry, is present on the system and blocking setup from continuing. This block typically requires manual removal of the files associated with this application to continue. |
| **GenericCompatBlock** | 511B9D95-C945-4F9B-BD63-98F1465E1CF6 | The rule indicates that system doesn't meet a hardware requirement for running Windows. For example, the device is missing a requirement for TPM 2.0. This issue can occur even when an attempt is made to bypass the hardware requirements. |
| **GatedCompatBlock** | 34A9F145-3842-4A68-987F-4622EE0FC162 | This rule indicates that the upgrade failed due to a temporary block. A temporary block is put in place when an issue is found with a specific piece of software or hardware driver and the issue has a fix pending. The block is lifted once the fix is widely available. |
| **HardblockDeviceOrDriver** | ED3AEFA1-F3E2-4F33-8A21-184ADF215B1B | This error indicates a device driver that is loaded on the host OS isn't compatible with the newer OS version. The device driver needs to be removed prior to the upgrade. |
| **HardblockDeviceOrDriver** | ED3AEFA1-F3E2-4F33-8A21-184ADF215B1B | This error indicates a device driver that is loaded on the host OS isn't compatible with the newer OS version. The device driver needs to be removed before the upgrade. |
| **HardblockMismatchedLanguage** | 60BA8449-CF23-4D92-A108-D6FCEFB95B45 | This rule indicates the host OS and the target OS language editions don't match. |
| **HardblockFlightSigning** | 598F2802-3E7F-4697-BD18-7A6371C8B2F8 | This rule indicates the target OS is a pre-release, Windows Insider build, and the target machine has Secure Boot enabled. This rule blocks the pre-release signed build from booting if installed on the machine. |
| **DiskSpaceBlockInDownLevel** | 6080AFAC-892E-4903-94EA-7A17E69E549E | This failure indicates the system ran out of disk space during the down-level operations of upgrade. |
| **HardblockFlightSigning** | 598F2802-3E7F-4697-BD18-7A6371C8B2F8 | This rule indicates the target OS is a pre-release, Windows Insider build, and the target machine has Secure Boot enabled. This rule blocks the pre-release signed build from booting if installed on the machine. |
| **DiskSpaceBlockInDownLevel** | 6080AFAC-892E-4903-94EA-7A17E69E549E | This failure indicates the system ran out of disk space during the downlevel operations of upgrade. |
| **DiskSpaceFailure** | 981DCBA5-B8D0-4BA7-A8AB-4030F7A10191 | This failure indicates the system drive ran out of available disk space at some point after the first reboot into the upgrade. |
| **PreReleaseWimMountDriverFound** | 31EC76CC-27EC-4ADC-9869-66AABEDB56F0 | Captures failures due to having an unrecognized `wimmount.sys` driver registered on the system. |
| **DebugSetupMemoryDump** | C7C63D8A-C5F6-4255-8031-74597773C3C6 | This offline only rule indicates a bug check occurred during setup. If the debugger tools are available on the system, SetupDiag debugs the memory dump and provide details. |
| **DebugSetupCrash** | CEEBA202-6F04-4BC3-84B8-7B99AED924B1 | This offline only rule indicates that setup itself encountered a failure that resulted in a process memory dump. If the debugger tools are installed on the system, SetupDiag debugs the memory dump and give further details. |
| **DebugMemoryDump** | 505ED489-329A-43F5-B467-FCAAF6A1264C | This offline only rule is for any memory.dmp file that resulted during the setup/upgrade operation. If the debugger tools are installed on the system, SetupDiag debugs the memory dump and give further details. |
| **DebugSetupMemoryDump** | C7C63D8A-C5F6-4255-8031-74597773C3C6 | This offline only rule indicates a bug check occurred during setup. If the debugger tools are available on the system, SetupDiag debugs the memory dump and provide details. |
| **DebugSetupCrash** | CEEBA202-6F04-4BC3-84B8-7B99AED924B1 | This offline only rule indicates that setup itself encountered a failure that resulted in a process memory dump. If the debugger tools are installed on the system, SetupDiag debugs the memory dump and give further details. |
| **DebugMemoryDump** | 505ED489-329A-43F5-B467-FCAAF6A1264C | This offline only rule is for any memory.dmp file that resulted during the setup/upgrade operation. If the debugger tools are installed on the system, SetupDiag debugs the memory dump and give further details. |
| **DeviceInstallHang** | 37BB1C3A-4D79-40E8-A556-FDA126D40BC6 | This failure rule indicates the system hung or bug checked during the device installation phase of upgrade. |
| **DriverPackageMissingFileFailure** | 37BB1C3A-4D79-40E8-A556-FDA126D40BC6 | This rule indicates that a driver package had a missing file during device install. Updating the driver package might help resolve the issue. |
| **UnsignedDriverBootFailure** | CD270AA4-C044-4A22-886A-F34EF2E79469 | This rule indicates that an unsigned driver caused a boot failure. |
| **BootFailureDetected** | 4FB446C2-D4EC-40B4-97E2-67EB19D1CFB7 | This rule indicates a boot failure occurred during a specific phase of the update. The rule indicates the failure code and phase for diagnostic purposes. |
| **BootFailureDetected** | 4FB446C2-D4EC-40B4-97E2-67EB19D1CFB7 | This rule indicates a boot failure occurred during a specific phase of the update. The rule indicates the failure code and phase for diagnostic purposes. |
| **WinSetupBootFilterFailure** | C073BFC8-5810-4E19-B53B-4280B79E096C | Detects failures in the kernel mode file operations. |
| **FindDebugInfoFromRollbackLog** | 9600EB68-1120-4A87-9FE9-3A4A70ACFC37 | This rule determines and gives details when a bug check occurs during the setup/upgrade process that resulted in a memory dump. However, a debugger package isn't required on the executing machine. |
| **AdvancedInstallerFailed** | 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC | Finds fatal advanced installer operations that cause setup failures. Indicates critical failure in the AdvancedInstaller while running an installer package, includes the .exe being called, the phase, mode, component and error codes. |
| **AdvancedInstallerFailed** | 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC | Finds fatal advanced installer operations that cause setup failures. Indicates critical failure in the AdvancedInstaller while running an installer package, includes the .exe being called, the phase, mode, component, and error codes. |
| **AdvancedInstallerPluginInstallFailed** | 2F784A0E-CEB1-47C5-8072-F1294C7CB4AE | This rule indicates some component that was being installed via an advanced installer (FeatureOnDemand, Language Packs, .NET packages, etc.) failed to install. The rule calls out what was being installed. If the failed component is a FeatureOnDemand, remove the Windows Feature, reboot, and try the upgrade again. If the failed component is a Language Pack, remove the additional language pack, reboot, and try the upgrade again. |
| **AdvancedInstallerGenericFailure** | 4019550D-4CAA-45B0-A222-349C48E86F71 | A rule to match AdvancedInstaller read/write failures in a generic sense. Triggers on advanced installer failures in a generic sense. It outputs the application called, phase, mode, component and error code. |
| **FindMigApplyUnitFailure** | A4232E11-4043-4A37-9BF4-5901C46FD781 | Detects a migration unit failure that caused the update to fail. This rule outputs the name of the migration plug-in and the error code it produced for diagnostic purposes. |
| **FindMigGatherUnitFailure** | D04C064B-CD77-4E64-96D6-D26F30B4EE29 | Detects a migration gather unit failure that caused the update to fail. This rule outputs the name of the gather unit/plug-in and the error code it produced for diagnostic purposes. |
| **FindMigGatherApplyFailure** | A9964E6C-A2A8-45FF-B6B5-25E0BD71428E | Shows errors when the migration Engine fails out on a gather or apply operation. Indicates the Migration Object (file or registry path), the Migration |
| **OptionalComponentFailedToGetOCsFromPackage** | D012E2A2-99D8-4A8C-BBB2-088B92083D78 | This rule matches a specific Optional Component failure when attempting to enumerate components in a package. Indicates the optional component (OC) migration operation failed to enumerate optional components from an OC Package. It outputs the package name and error code. This rule replaces the OptionalComponentInstallFailure rule present. |
| **OptionalComponentOpenPackageFailed** | 22952520-EC89-4FBD-94E0-B67DF88347F6 | Matches a specific Optional Component failure when attempting to open an OC package. It outputs the package name and error code. Indicates the optional component migration operation failed to open an optional component Package. Outputs the package name and error code. |
| **OptionalComponentInitCBSSessionFailed** | 63340812-9252-45F3-A0F2-B2A4CA5E9317 | Matches a specific failure where the advanced installer service or components aren't operating or started on the system. Indicates corruption in the servicing stack on the down-level system. Outputs the error code encountered while trying to initialize the servicing component on the existing OS. |
| **CriticalSafeOSDUFailure** | 73566DF2-CA26-4073-B34C-C9BC70DBF043 | This rule indicates a failure occurred while updating the SafeOS image with a critical dynamic update. It indicates the phase and error code that occurred while attempting to update the SafeOS image for diagnostic purposes. |
| **UserProfileCreationFailureDuringOnlineApply** | 678117CE-F6A9-40C5-BC9F-A22575C78B14 | Indicates there was a critical failure while creating or modifying a User Profile during the online apply phase of the update. It indicates the operation and error code associated with the failure for diagnostic purposes. |
| **UserProfileCreationFailureDuringFinalize** | C6677BA6-2E53-4A88-B528-336D15ED1A64 | Matches a specific User Profile creation error during the finalize phase of setup. It outputs the failure code. |
| **AdvancedInstallerGenericFailure** | 4019550D-4CAA-45B0-A222-349C48E86F71 | A rule to match AdvancedInstaller read/write failures in a generic sense. Triggers on advanced installer failures in a generic sense. It outputs the application called, phase, mode, component, and error code. |
| **FindMigApplyUnitFailure** | A4232E11-4043-4A37-9BF4-5901C46FD781 | Detects a migration unit failure that caused the update to fail. This rule outputs the name of the migration plug-in and the error code it produced for diagnostic purposes. |
| **FindMigGatherUnitFailure** | D04C064B-CD77-4E64-96D6-D26F30B4EE29 | Detects a migration gather unit failure that caused the update to fail. This rule outputs the name of the gather unit/plug-in and the error code it produced for diagnostic purposes. |
| **FindMigGatherApplyFailure** | A9964E6C-A2A8-45FF-B6B5-25E0BD71428E | Shows errors when the migration Engine fails out on a gather or apply operation. Indicates the Migration Object (file or registry path), the Migration |
| **OptionalComponentFailedToGetOCsFromPackage** | D012E2A2-99D8-4A8C-BBB2-088B92083D78 | This rule matches a specific Optional Component failure when attempting to enumerate components in a package. Indicates the optional component (OC) migration operation failed to enumerate optional components from an OC Package. It outputs the package name and error code. This rule replaces the OptionalComponentInstallFailure rule present. |
| **OptionalComponentOpenPackageFailed** | 22952520-EC89-4FBD-94E0-B67DF88347F6 | Matches a specific Optional Component failure when attempting to open an OC package. It outputs the package name and error code. Indicates the optional component migration operation failed to open an optional component Package. Outputs the package name and error code. |
| **OptionalComponentInitCBSSessionFailed** | 63340812-9252-45F3-A0F2-B2A4CA5E9317 | Matches a specific failure where the advanced installer service or components aren't operating or started on the system. Indicates corruption in the servicing stack on the downlevel system. Outputs the error code encountered while trying to initialize the servicing component on the existing OS. |
| **CriticalSafeOSDUFailure** | 73566DF2-CA26-4073-B34C-C9BC70DBF043 | This rule indicates a failure occurred while updating the SafeOS image with a critical dynamic update. It indicates the phase and error code that occurred while attempting to update the SafeOS image for diagnostic purposes. |
| **UserProfileCreationFailureDuringOnlineApply** | 678117CE-F6A9-40C5-BC9F-A22575C78B14 | Indicates there was a critical failure while creating or modifying a User Profile during the online apply phase of the update. It indicates the operation and error code associated with the failure for diagnostic purposes. |
| **UserProfileCreationFailureDuringFinalize** | C6677BA6-2E53-4A88-B528-336D15ED1A64 | Matches a specific User Profile creation error during the finalize phase of setup. It outputs the failure code. |
| **UserProfileSuffixMismatch** | B4BBCCCE-F99D-43EB-9090-078213397FD8 | Detects when a file or other object causes the migration or creation of a user profile to fail during the update. |
| **DuplicateUserProfileFailure** | BD7B3109-80F1-4421-8F0A-B34CD25F4B51 | This rule indicates a fatal error while migrating user profiles, usually with multiple SIDs associated with a single user profile. This error usually occurs when software creates local user accounts that aren't ever used or signed in with. The rule indicates the SID and UserName of the account that is causing the failure. To attempt to resolve the issue, first back up all the user's files for the affected user account. After the user's files are backed up, delete the account in a supported manner. Make sure that the account isn't one that is needed or is currently used to sign into the device. After deleting the account, reboot, and try the upgrade again. |
| **WimMountFailure** | BE6DF2F1-19A6-48C6-AEF8-D3B0CE3D4549 | This rule indicates the update failed to mount a WIM file. It shows the name of the WIM file and the error message and error code associated with the failure for diagnostic purposes. |
| **WimMountFailure** | BE6DF2F1-19A6-48C6-AEF8-D3B0CE3D4549 | This rule indicates the update failed to mount a WIM file. It shows the name of the WIM file and the error message and error code associated with the failure for diagnostic purposes. |
| **WimMountDriverIssue** | 565B60DD-5403-4797-AE3E-BC5CB972FBAE | Detects failures in `WimMount.sys` registration on the system. |
| **WimApplyExtractFailure** | 746879E9-C9C5-488C-8D4B-0C811FF3A9A8 | Matches a WIM apply failure during WIM extraction phases of setup. It outputs the extension, path and error code. |
| **UpdateAgentExpanderFailure** | 66E496B3-7D19-47FA-B19B-4040B9FD17E2 | Matches DPX expander failures in the down-level phase of update from Windows Update. It outputs the package name, function, expression and error code. |
| **FindFatalPluginFailure** | E48E3F1C-26F6-4AFB-859B-BF637DA49636 | Matches any plug-in failure that setupplatform decides is fatal to setup. It outputs the plugin name, operation and error code. |
| **MigrationAbortedDueToPluginFailure** | D07A24F6-5B25-474E-B516-A730085940C9 | Indicates a critical failure in a migration plugin that causes setup to abort the migration. Provides the setup operation, plug-in name, plug-in action and error code. |
| **DISMAddPackageFailed** | 6196FF5B-E69E-4117-9EC6-9C1EAB20A3B9 | Indicates a critical failure during a DISM add package operation. Specifies the Package Name, DISM error and add package error code. |
| **WimApplyExtractFailure** | 746879E9-C9C5-488C-8D4B-0C811FF3A9A8 | Matches a WIM apply failure during WIM extraction phases of setup. It outputs the extension, path, and error code. |
| **UpdateAgentExpanderFailure** | 66E496B3-7D19-47FA-B19B-4040B9FD17E2 | Matches DPX expander failures in the downlevel phase of update from Windows Update. It outputs the package name, function, expression, and error code. |
| **FindFatalPluginFailure** | E48E3F1C-26F6-4AFB-859B-BF637DA49636 | Matches any plug-in failure that setupplatform decides is fatal to setup. It outputs the plugin name, operation, and error code. |
| **MigrationAbortedDueToPluginFailure** | D07A24F6-5B25-474E-B516-A730085940C9 | Indicates a critical failure in a migration plugin that causes setup to abort the migration. Provides the setup operation, plug-in name, plug-in action and error code. |
| **DISMAddPackageFailed** | 6196FF5B-E69E-4117-9EC6-9C1EAB20A3B9 | Indicates a critical failure during a DISM add package operation. Specifies the Package Name, DISM error and add package error code. |
| **DISMImageSessionFailure** | 61B7886B-10CD-4C98-A299-B987CB24A11C | Captures failure information when DISM fails to start an image session successfully. |
| **DISMproviderFailure** | D76EF86F-B3F8-433F-9EBF-B4411F8141F4 | Triggers when a DISM provider (plug-in) fails in a critical operation. Outputs the file (plug-in name), function called + error code, and error message from the provider. |
| **SysPrepLaunchModuleFailure** | 7905655C-F295-45F7-8873-81D6F9149BFD | Indicates a sysPrep plug-in failed in a critical operation. Indicates the plug-in name, operation name and error code. |
| **UserProvidedDriverInjectionFailure** | 2247C48A-7EE3-4037-AFAB-95B92DE1D980 | A driver provided to setup (via command line input) failed in some way. Outputs the driver install function and error code. |
| **DISMproviderFailure** | D76EF86F-B3F8-433F-9EBF-B4411F8141F4 | Triggers when a DISM provider (plug-in) fails in a critical operation. Outputs the file (plug-in name), function called + error code, and error message from the provider. |
| **SysPrepLaunchModuleFailure** | 7905655C-F295-45F7-8873-81D6F9149BFD | Indicates a sysPrep plug-in failed in a critical operation. Indicates the plug-in name, operation name, and error code. |
| **UserProvidedDriverInjectionFailure** | 2247C48A-7EE3-4037-AFAB-95B92DE1D980 | A driver provided to setup (via command line input) failed in some way. Outputs the driver install function and error code. |
| **DriverMigrationFailure** | 9378D9E2-256E-448C-B02F-137F611F5CE3 | This rule indicates a fatal failure when migrating drivers. |
| **UnknownDriverMigrationFailure** | D7541B80-5071-42CE-AD14-FBE8C0C4F7FD | This rule indicates a bad driver package resides on the system. The driver package causes the upgrade to fail when the driver package is attempted to migrate to the new OS. The rule usually indicates the driver package name that caused the issue. The remediation is to remove the bad driver package, reboot, and try the upgrade again. If an update to this driver is available from the OEM, updating the driver package is recommended. |
| **UnknownDriverMigrationFailure** | D7541B80-5071-42CE-AD14-FBE8C0C4F7FD | This rule indicates a bad driver package resides on the system. The driver package causes the upgrade to fail when the driver package is attempted to migrate to the new OS. The rule usually indicates the driver package name that caused the issue. The remediation is to remove the bad driver package, reboot, and try the upgrade again. If an update to this driver is available from the OEM, updating the driver package is recommended. |
| | |
| **FindSuccessfulUpgrade** | 8A0824C8-A56D-4C55-95A0-22751AB62F3E | Determines if the given setup was a success or not based off the logs. |
| **FindSetupHostReportedFailure** | 6253C04F-2E4E-4F7A-B88E-95A69702F7EC | Gives information about failures surfaced early in the upgrade process by `setuphost.exe` |
| **FindDownlevelFailure** | 716334B7-F46A-4BAA-94F2-3E31BC9EFA55 | Gives failure information surfaced by SetupPlatform, later in the down-level phase. |
| **FindAbruptDownlevelFailure** | 55882B1A-DA3E-408A-9076-23B22A0472BD | Gives last operation failure information when the system fails in the down-level, but the log just ends abruptly. |
| **FindEarlyDownlevelError** | A4CE4FC9-5E10-4BB1-8ECE-3B29EB9D7C52 | Detects failures in down-level phase before setup platform is invoked. |
| **FindDownlevelFailure** | 716334B7-F46A-4BAA-94F2-3E31BC9EFA55 | Gives failure information surfaced by SetupPlatform, later in the downlevel phase. |
| **FindAbruptDownlevelFailure** | 55882B1A-DA3E-408A-9076-23B22A0472BD | Gives last operation failure information when the system fails in the downlevel, but the log just ends abruptly. |
| **FindEarlyDownlevelError** | A4CE4FC9-5E10-4BB1-8ECE-3B29EB9D7C52 | Detects failures in downlevel phase before setup platform is invoked. |
| **FindSPFatalError** | A4028172-1B09-48F8-AD3B-86CDD7D55852 | Captures failure information when setup platform encounters a fatal error. |
| **FindSetupPlatformFailedOperationInfo** | 307A0133-F06B-4B75-AEA8-116C3B53C2D1 | Gives last phase and error information when SetupPlatform indicates a critical failure. This rule indicates the operation and error associated with the failure for diagnostic purposes. |
| **FindRollbackFailure** | 3A43C9B5-05B3-4F7C-A955-88F991BB5A48 | Gives last operation, failure phase and error information when a rollback occurs. |
| **FindSetupPlatformFailedOperationInfo** | 307A0133-F06B-4B75-AEA8-116C3B53C2D1 | Gives last phase and error information when SetupPlatform indicates a critical failure. This rule indicates the operation and error associated with the failure for diagnostic purposes. |
| **FindRollbackFailure** | 3A43C9B5-05B3-4F7C-A955-88F991BB5A48 | Gives last operation, failure phase, and error information when a rollback occurs. |
## Sample logs
@ -374,8 +362,8 @@ System Information:
ReportId = dd4db176-4e3f-4451-aef6-22cf46de8bde
Error: SetupDiag reports Optional Component installation failed to open OC Package. Package Name: Foundation, Error: 0x8007001F
Recommend you check the "Windows Modules Installer" service (Trusted Installer) is started on the system and set to automatic start, reboot and try the update again. Optionally, you can check the status of optional components on the system (search for Windows Features), uninstall any unneeded optional components, reboot and try the update again.
Error: SetupDiag reports down-level failure, Operation: Finalize, Error: 0x8007001F - 0x50015
Recommend you check the "Windows Modules Installer" service (Trusted Installer) is started on the system and set to automatic start, reboot and try the update again. Optionally, you can check the status of optional components on the system (search for Windows Features), uninstall any unneeded optional components, reboot and try the update again.
Error: SetupDiag reports downlevel failure, Operation: Finalize, Error: 0x8007001F - 0x50015
Refer to https://learn.microsoft.com/windows/deployment/upgrade/upgrade-error-codes for error information.
```

12
windows/deployment/upgrade/submit-errors.md
View File

@ -2,13 +2,13 @@
title: Submit Windows upgrade errors using Feedback Hub
manager: aaroncz
ms.author: frankroj
description: Download the Feedback Hub app, and then submit Windows upgrade errors for diagnosis using feedback hub.
description: Download the Feedback Hub app, and then submit Windows upgrade errors for diagnosis using Feedback Hub.
ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.topic: troubleshooting-general
ms.subservice: itpro-deploy
ms.date: 01/29/2025
ms.date: 04/08/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
@ -28,17 +28,17 @@ This article describes how to submit problems with a Windows upgrade to Microsof
The Feedback Hub app allows reporting to Microsoft of any problems encountered while using Windows. It also allows sending suggestions to Microsoft on how to improve the Windows experience. Previously, the Feedback Hub could only be used through the Windows Insider Program. Now anyone can use this tool. The Feedback Hub app can be downloaded from the [Microsoft Store](https://www.microsoft.com/store/p/feedback-hub/9nblggh4r32n?SilentAuth=1&wa=wsignin1.0).
The Feedback Hub requires a currently supported version of Windows. The Feedback Hub can be used to submit information to Microsoft if problems are encountered while upgrading Windows. If upgrading to a currently supported version of Windows from a previous version that's Windows 10 or newer, the Feedback Hub automatically collects log files. For operating systems prior to Windows 10 that don't support the Feedback Hub, the log files must be manually collected. The log files can then be attached to the feedback item using a device that is running a currently supported version of Windows that supports the Feedback Hub.
The Feedback Hub requires a [currently supported version of Windows](/windows/release-health/supported-versions-windows-client). The Feedback Hub can be used to submit information to Microsoft if problems are encountered while upgrading Windows. If upgrading between [currently supported version of Windows](/windows/release-health/supported-versions-windows-client), the Feedback Hub automatically collects log files. For out of support operating systems before Windows 10 that don't support the Feedback Hub, the log files must be manually collected. The log files can then be attached to the feedback item using a device that is running a [currently supported version of Windows](/windows/release-health/supported-versions-windows-client) that supports the Feedback Hub.
## Submit feedback
To submit feedback about a failed Windows upgrade, open the [Feedback Hub](feedback-hub://?referrer=resolveUpgradeErrorsPage&tabid=2&contextid=81&newFeedback=true&feedbackType=2&topic=submit-errors.md).
In the Feedback Hub, fill out all four sections with as much detail as possible:
In the Feedback Hub, fill out all of the sections with as much detail as possible:
1. **Enter your feedback**
1. **Choose a category**
1. **Find similar feedback**
1. **Find similar feedback** - this section doesn't have anything to fill out, but it is important to check for similar feedback items. If a similar feedback item is found, select it and then select the **Next** button. This allows Microsoft to see how many people are affected by the same issue.
1. **Add more details**
Recommended information that can be included under the **Add more details** section include:
@ -71,5 +71,3 @@ After the feedback is submitted, additional information and items can be added t
1. Copy and then use the short link that is displayed.
:::image type="content" alt-text="Share example." source="../images/share.jpg":::
## Related articles

28
windows/deployment/upgrade/windows-error-reporting.md
View File

@ -8,7 +8,7 @@ author: frankroj
ms.localizationpriority: medium
ms.topic: article
ms.subservice: itpro-deploy
ms.date: 01/29/2025
ms.date: 04/08/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
@ -22,7 +22,7 @@ appliesto:
>
> See [Resolve Windows upgrade errors](resolve-windows-upgrade-errors.md) for a full list of articles in this section.
When Windows Setup fails, the result and extend code are recorded as an informational event in the Application log by Windows Error Reporting as event 1001. The event name is **WinSetupDiag02**. Event Viewer or Windows PowerShell can be used to review this event.
When Windows Setup fails, the [result code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes) and [extend code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes) are recorded as an informational event in the Application log by Windows Error Reporting as event 1001. The event name is **WinSetupDiag02**. Event Viewer or Windows PowerShell can be used to review this event.
To use Windows PowerShell, type the following commands from an elevated Windows PowerShell prompt:
@ -48,18 +48,18 @@ To use Event Viewer:
Ten parameters are listed in the event:
| Parameters |
| ------------- |
| P1: The Setup Scenario (1=Media,5=WindowsUpdate,7=Media Creation Tool) |
| P2: Setup Mode (x=default,1=Downlevel,5=Rollback) |
| P3: New OS Architecture (x=default,0=X86,9=AMD64) |
| P4: Install Result (x=default,0=Success,1=Failure,2=Cancel,3=Blocked) |
| **P5: Result Error Code** (Ex: 0xc1900101) |
| **P6: Extend Error Code** (Ex: 0x20017) |
| P7: Source OS build (Ex: 9600) |
| P8: Source OS branch (not typically available) |
| P9: New OS build (Ex: 16299) |
| P10: New OS branch (Ex: rs3_release) |
| Parameters | Description| Example |
| ------------- | --- | --- |
| P1 | The Setup Scenario | 1=Media, 5=WindowsUpdate, 7=Media Creation Tool |
| P2 | Setup Mode | x=default, 1=Downlevel, 5=Rollback |
| P3 | New OS Architecture | x=default, 0=X86, 9=AMD64 |
| P4 | Install Result | x=default, 0=Success, 1=Failure,2=Cancel, 3=Blocked |
| **P5** | Result Error Code | 0xc1900101 |
| **P6** | Extend Error Code | 0x20017 |
| P7 | Source OS build | 9600 |
| P8 | Source OS branch | Not typically available |
| P9 | New OS build | 16299 |
| P10 | New OS branch | rs3_release |
The event also contains links to log files that can be used to perform a detailed diagnosis of the error. The following example is an example of this event from a successful upgrade:

7
windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
View File

@ -7,7 +7,10 @@ ms.service: windows-client
author: frankroj
ms.topic: upgrade-and-migration-article
ms.subservice: itpro-deploy
ms.date: 08/30/2024
ms.date: 04/08/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Windows upgrade and migration considerations
@ -61,7 +64,7 @@ If a single-language Windows image that matches the system default UI language o
### Errorhandler.cmd
If using **Errorhandler.cmd** when upgrading from an earlier version of Windows, copy **Errorhandler.cmd** into the `%WINDIR%\Setup\Scripts` directory on the original installation of Windows. Copying **Errorhandler.cmd** into the `%WINDIR%\Setup\Scripts` directory on the original installation of Windows makes sure that if there are errors during the down-level phase of Windows Setup, the commands in **Errorhandler.cmd** run. For more information, see [Run a script if Windows Setup encounters a fatal error (ErrorHandler.cmd)](/windows-hardware/manufacture/desktop/add-a-custom-script-to-windows-setup#run-a-script-if-windowssetup-encounters-a-fatal-error-errorhandlercmd).
If using **Errorhandler.cmd** when upgrading from an earlier version of Windows, copy **Errorhandler.cmd** into the `%WINDIR%\Setup\Scripts` directory on the original installation of Windows. Copying **Errorhandler.cmd** into the `%WINDIR%\Setup\Scripts` directory on the original installation of Windows makes sure that if there are errors during the downlevel phase of Windows Setup, the commands in **Errorhandler.cmd** run. For more information, see [Run a script if Windows Setup encounters a fatal error (ErrorHandler.cmd)](/windows-hardware/manufacture/desktop/add-a-custom-script-to-windows-setup#run-a-script-if-windowssetup-encounters-a-fatal-error-errorhandlercmd).
## Related content

4
windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
View File

@ -1,7 +1,7 @@
---
title: Hotpatch updates
description: Use Hotpatch updates to receive security updates without restarting your device
ms.date: 04/02/2025
ms.date: 04/04/2025
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@ -91,7 +91,7 @@ LCUs requires you to restart the device, but the LCU ensures that the device rem
1. Select **Devices** from the left navigation menu.
1. Under the **Manage updates** section, select **Windows updates**.
1. Go to the **Quality updates** tab.
1. Select **Create**, and select **Windows quality update policy (preview)**.
1. Select **Create**, and select **Windows quality update policy**.
1. Under the **Basics** section, enter a name for your new policy and select Next.
1. Under the **Settings** section, set **"When available, apply without restarting the device ("Hotpatch")** to **Allow**. Then, select **Next**.
1. Select the appropriate Scope tags or leave as Default and select **Next**.

9
windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md
View File

@ -1,7 +1,7 @@
---
title: Hotpatch quality update report
description: Use the Hotpatch quality update report to view the current update statuses for all devices that receive Hotpatch updates
ms.date: 03/31/2025
ms.date: 04/04/2025
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@ -15,10 +15,7 @@ ms.collection:
- tier1
---
# Hotpatch quality update report (public preview)
> [!IMPORTANT]
> This feature is in public preview. It is being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback.
# Hotpatch quality update report
The Hotpatch quality update report provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. For more information about Hotpatching, see [Hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md).
@ -27,7 +24,7 @@ The Hotpatch quality update report provides a per policy level view of the curre
1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to **Reports** > **Windows Autopatch** > **Windows quality updates**.
1. Select the **Reports** tab.
1. Select **Hotpatch quality updates (preview)**.
1. Select **Hotpatch quality updates**.
> [!NOTE]
> The data in this report is refreshed every four hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md#about-data-latency).

4
windows/security/identity-protection/access-control/access-control.md
View File

@ -1,6 +1,6 @@
---
ms.date: 09/06/2024
title: Access Control overview
ms.date: 04/07/2025
title: Access Control Overview
description: Learn about access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer.
ms.topic: overview
appliesto:

44
windows/security/identity-protection/access-control/local-accounts.md
View File

@ -1,5 +1,5 @@
---
ms.date: 09/06/2024
ms.date: 04/07/2025
title: Local Accounts
description: Learn how to secure and manage access to the resources on a standalone or member server for services or users.
ms.topic: concept-article
@ -225,33 +225,33 @@ The following table shows the Group Policy and registry settings that are used t
#### To enforce local account restrictions for remote access
1. Start the **Group Policy Management** Console (GPMC)
1. In the console tree, expand &lt;*Forest*&gt;\\Domains\\&lt;*Domain*&gt;, and then **Group Policy Objects** where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO)
1. In the console tree, expand <*Forest*>\Domains\<*Domain*>, and then **Group Policy Objects** where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO)
1. In the console tree, right-click **Group Policy Objects > New**
1. In the **New GPO** dialog box, type &lt;**gpo\_name**&gt;, and &gt; **OK** where *gpo\_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer
1. In the details pane, right-click &lt;**gpo\_name**&gt;, and &gt; **Edit**
1. In the **New GPO** dialog box, type <**gpo_name**>, and > **OK** where *gpo_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer
1. In the details pane, right-click <**gpo_name**>, and > **Edit**
1. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by following these steps:
- Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\, and &gt; **Security Options**
- Double-click **User Account Control: Run all administrators in Admin Approval Mode** &gt; **Enabled** &gt; **OK**
- Double-click **User Account Control: Admin Approval Mode for the Built-in Administrator account** &gt; **Enabled** &gt; **OK**
- Navigate to the **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options**
- Select **User Account Control: Run all administrators in Admin Approval Mode** > **Enabled** > **OK**
- Select **User Account Control: Admin Approval Mode for the Built-in Administrator account** > **Enabled** > **OK**
1. Ensure that the local account restrictions are applied to network interfaces by following these steps:
- Navigate to *Computer Configuration\Preferences and Windows Settings*, and > **Registry**
- Right-click **Registry**, and &gt; **New** &gt; **Registry Item**
- Right-click **Registry**, and > **New** > **Registry Item**
- In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**
- Ensure that the **Hive** box is set to **HKEY_LOCAL_MACHINE**
- Select (**…**), browse to the following location for **Key Path** &gt; **Select** for: `SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`
- Select (**…**), browse to the following location for **Key Path** > **Select** for: `SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`
- In the **Value name** area, type `LocalAccountTokenFilterPolicy`
- In the **Value type** box, from the drop-down list, select **REG_DWORD** to change the value
- In the **Value data** box, ensure that the value is set to **0**
- Verify this configuration, and &gt; **OK**
- Verify this configuration, and > **OK**
1. Link the GPO to the first **Workstations** organizational unit (OU) by doing the following:
- Navigate to the `*Forest*\<Domains>\*Domain*\*OU*` path
- Right-click the **Workstations > Link an existing GPO**
- Select the GPO that you created, and &gt; **OK**
- Select the GPO that you created, and > **OK**
1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy
1. Create links to all other OUs that contain workstations
@ -278,23 +278,23 @@ The following table shows the Group Policy settings that are used to deny networ
#### To deny network logon to all local administrator accounts
1. Start the **Group Policy Management** Console (GPMC)
1. In the console tree, expand &lt;*Forest*&gt;\\Domains\\&lt;*Domain*&gt;, and then **Group Policy Objects**, where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO)
1. In the console tree, right-click **Group Policy Objects**, and &gt; **New**
1. In the **New GPO** dialog box, type &lt;**gpo\_name**&gt;, and then &gt; **OK** where *gpo\_name* is the name of the new GPO indicates that it's being used to restrict the local administrative accounts from interactively signing in to the computer
1. In the details pane, right-click &lt;**gpo\_name**&gt;, and &gt; **Edit**
1. In the console tree, expand <*Forest*>\Domains\<*Domain*>, and then **Group Policy Objects**, where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO)
1. In the console tree, right-click **Group Policy Objects**, and > **New**
1. In the **New GPO** dialog box, type <**gpo_name**>, and then > **OK** where *gpo_name* is the name of the new GPO indicates that it's being used to restrict the local administrative accounts from interactively signing in to the computer
1. In the details pane, right-click <**gpo_name**>, and > **Edit**
1. Configure the user rights to deny network logons for administrative local accounts as follows:
1. Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\, and &gt; **User Rights Assignment**
1. Navigate to the Computer Configuration\Windows Settings\Security Settings\, and > **User Rights Assignment**
1. Double-click **Deny access to this computer from the network**
1. Select **Add User or Group**, type **Local account and member of Administrators group**, and &gt; **OK**
1. Select **Add User or Group**, type **Local account and member of Administrators group**, and > **OK**
1. Configure the user rights to deny Remote Desktop (Remote Interactive) logons for administrative local accounts as follows:
1. Navigate to Computer Configuration\\Policies\\Windows Settings and Local Policies, and then select **User Rights Assignment**
1. Navigate to Computer Configuration\Policies\Windows Settings and Local Policies, and then select **User Rights Assignment**
1. Double-click **Deny log on through Remote Desktop Services**
1. Select **Add User or Group**, type **Local account and member of Administrators group**, and &gt; **OK**
1. Select **Add User or Group**, type **Local account and member of Administrators group**, and > **OK**
1. Link the GPO to the first **Workstations** OU as follows:
- Navigate to the &lt;*Forest*&gt;\\Domains\\&lt;*Domain*&gt;\\OU path
- Right-click the **Workstations** OU, and &gt; **Link an existing GPO**
- Select the GPO that you created, and &gt; **OK**
- Navigate to the <*Forest*>\Domains\<*Domain*>\OU path
- Right-click the **Workstations** OU, and > **Link an existing GPO**
- Select the GPO that you created, and > **OK**
1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy
1. Create links to all other OUs that contain workstations

2
windows/security/identity-protection/credential-guard/configure.md
View File

@ -212,7 +212,7 @@ The following event indicates whether TPM is used for key protection. Path: `App
:::column-end:::
:::row-end:::
If you're running with a TPM, the TPM PCR mask value is something other than 0.
The TPM PCR mask is only relevant when SRTM is used. If the cached Copy status is 1, SRTM was not used - typically indicating DRTM is in use - and the PCR mask should be ignored.
## Disable Credential Guard

4
windows/security/identity-protection/passkeys/index.md
View File

@ -1,10 +1,10 @@
---
title: Support for passkeys in Windows
title: Support for Passkeys in Windows
description: Learn about passkeys and how to use them on Windows devices.
ms.collection:
- tier1
ms.topic: overview
ms.date: 09/06/2024
ms.date: 04/07/2025
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>

2
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
View File

@ -2,7 +2,7 @@
title: Deploy Virtual Smart Cards
description: Learn about what to consider when deploying a virtual smart card authentication solution
ms.topic: concept-article
ms.date: 09/06/2024
ms.date: 04/07/2025
---
# Deploy Virtual Smart Cards

2
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
View File

@ -2,7 +2,7 @@
title: Evaluate Virtual Smart Card Security
description: Learn about the security characteristics and considerations when deploying TPM virtual smart cards.
ms.topic: concept-article
ms.date: 09/06/2024
ms.date: 04/07/2025
---
# Evaluate Virtual Smart Card Security

2
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
View File

@ -2,7 +2,7 @@
title: Get Started with Virtual Smart Cards - Walkthrough Guide
description: This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
ms.topic: get-started
ms.date: 09/06/2024
ms.date: 04/07/2025
---
# Get Started with Virtual Smart Cards: Walkthrough Guide

2
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
View File

@ -2,7 +2,7 @@
title: Virtual Smart Card Overview
description: Learn about virtual smart card technology for Windows.
ms.topic: overview
ms.date: 09/06/2024
ms.date: 04/07/2025
---
# Virtual Smart Card Overview

2
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
View File

@ -2,7 +2,7 @@
title: Tpmvscmgr
description: Learn about the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer.
ms.topic: reference
ms.date: 09/06/2024
ms.date: 04/07/2025
---
# Tpmvscmgr

2
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
View File

@ -2,7 +2,7 @@
title: Understanding and Evaluating Virtual Smart Cards
description: Learn how smart card technology can fit into your authentication design.
ms.topic: overview
ms.date: 09/06/2024
ms.date: 04/07/2025
---
# Understand and Evaluate Virtual Smart Cards

2
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
View File

@ -2,7 +2,7 @@
title: Use Virtual Smart Cards
description: Learn about the requirements for virtual smart cards, how to use and manage them.
ms.topic: concept-article
ms.date: 09/06/2024
ms.date: 04/07/2025
---
# Use Virtual Smart Cards

2
windows/security/operating-system-security/network-security/windows-firewall/configure-logging.md
View File

@ -2,7 +2,7 @@
title: Configure Windows Firewall logging
description: Learn how to configure Windows Firewall to log dropped packets or successful connections with CSP and group policy.
ms.topic: how-to
ms.date: 09/06/2024
ms.date: 04/07/2025
---
# Configure Windows Firewall logging

6
windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md
View File

@ -1,8 +1,8 @@
---
title: Manage Windows Firewall with the command line
title: Manage Windows Firewall With the Command Line
description: Learn how to manage Windows Firewall from the command line. This guide provides examples how to manage Windows Firewall with PowerShell and Netsh.
ms.topic: how-to
ms.date: 09/06/2024
ms.date: 04/07/2025
---
# Manage Windows Firewall with the command line
@ -53,7 +53,7 @@ netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFile
### Disable Windows Firewall
Microsoft recommends that you don't disable Windows Firewall because you lose other benefits, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, Windows Service Hardening, and [boot time filters][BTF]. Non-Microsoft firewall software can programmatically disable only the [rule types][FWRC] of Windows Firewall that need to be disabled for compatibility. You shouldn't disable the firewall yourself for this purpose.
Microsoft recommends that you don't disable Windows Firewall because you lose other benefits, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, Windows Service Hardening, and [boot time filters][BTF]. Non-Microsoft firewall software can programmatically disable only the [rule types][FWRC] of Windows Firewall that need to be disabled for compatibility. You shouldn't disable the firewall yourself for this purpose.
If disabling Windows Firewall is required, don't disable it by stopping the Windows Firewall service (in the Services snap-in, the display name is Windows Defender Firewall and the service name is MpsSvc). Stopping the Windows Firewall service isn't supported by Microsoft and can cause problems, including:
- Start menu can stop working

4
windows/security/operating-system-security/network-security/windows-firewall/configure.md
View File

@ -1,8 +1,8 @@
---
title: Configure firewall rules with group policy
title: Configure Firewall Rules With Group Policy
description: Learn how to configure firewall rules using group policy with the Windows Firewall with Advanced Security console.
ms.topic: how-to
ms.date: 09/06/2024
ms.date: 04/07/2025
---
# Configure rules with group policy

4
windows/security/operating-system-security/network-security/windows-firewall/dynamic-keywords.md
View File

@ -1,8 +1,8 @@
---
title: Windows Firewall dynamic keywords
title: Windows Firewall Dynamic Keywords
description: Learn about Windows Firewall dynamic keywords and how to configure it using Windows PowerShell.
ms.topic: how-to
ms.date: 09/06/2024
ms.date: 04/07/2025
---
# Windows Firewall dynamic keywords

4
windows/security/operating-system-security/network-security/windows-firewall/filter-origin-documentation.md
View File

@ -1,8 +1,8 @@
---
title: Filter origin audit log
title: Filter Origin Audit Log
description: Learn about Windows Firewall and filter origin audit log to troubleshoot packet drops.
ms.topic: troubleshooting
ms.date: 09/06/2024
ms.date: 04/07/2025
---
# Filter origin audit log

4
windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
View File

@ -1,8 +1,8 @@
---
title: Hyper-V firewall
title: Hyper-V Firewall
description: Learn how to configure Hyper-V firewall rules and settings using PowerShell or Configuration Service Provider (CSP).
ms.topic: how-to
ms.date: 09/06/2024
ms.date: 04/07/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
---

6
windows/security/operating-system-security/network-security/windows-firewall/index.md
View File

@ -1,8 +1,8 @@
---
title: Windows Firewall overview
title: Windows Firewall Overview
description: Learn overview information about the Windows Firewall security feature.
ms.topic: overview
ms.date: 09/06/2024
ms.date: 04/07/2025
---
# Windows Firewall overview
@ -75,7 +75,7 @@ The *public network* profile is designed with higher security in mind for public
## Disable Windows Firewall
Microsoft recommends that you don't disable Windows Firewall because you lose other benefits, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, Windows Service Hardening, and [boot time filters][BTF]. Non-Microsoft firewall software can programmatically disable only the [rule types][FWRC] of Windows Firewall that need to be disabled for compatibility. You shouldn't disable the firewall yourself for this purpose.
Microsoft recommends that you don't disable Windows Firewall because you lose other benefits, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, Windows Service Hardening, and [boot time filters][BTF]. Non-Microsoft firewall software can programmatically disable only the [rule types][FWRC] of Windows Firewall that need to be disabled for compatibility. You shouldn't disable the firewall yourself for this purpose.
If disabling Windows Firewall is required, don't disable it by stopping the Windows Firewall service (in the Services snap-in, the display name is Windows Defender Firewall and the service name is MpsSvc). Stopping the Windows Firewall service isn't supported by Microsoft and can cause problems, including:
- Start menu can stop working

4
windows/security/operating-system-security/network-security/windows-firewall/quarantine.md
View File

@ -1,8 +1,8 @@
---
title: Quarantine behavior
title: Quarantine Behavior
description: Learn about Windows Firewall and the quarantine feature behavior.
ms.topic: concept-article
ms.date: 09/06/2024
ms.date: 04/07/2025
---
# Quarantine behavior

10
windows/security/operating-system-security/network-security/windows-firewall/rules.md
View File

@ -1,7 +1,7 @@
---
title: Windows Firewall rules
title: Windows Firewall Rules
description: Learn about Windows Firewall rules and design recommendations.
ms.date: 09/06/2024
ms.date: 04/07/2025
ms.topic: concept-article
---
@ -21,7 +21,7 @@ In many cases, allowing specific types of inbound traffic is required for applic
Because of 1 and 2, when designing a set of policies, you should make sure that there are no other explicit block rules that could inadvertently overlap, thus preventing the traffic flow you wish to allow.
Outbound rules follow the same precedence behaviors.
Outbound rules follow the same precedence behaviors.
> [!NOTE]
> Windows Firewall doesn't support weighted, administrator-assigned rule ordering. An effective policy set with expected behaviors can be created by keeping in mind the few, consistent, and logical rule behaviors as described.
@ -33,12 +33,12 @@ When first installed, network applications and services issue a *listen call* sp
:::row:::
:::column span="2":::
If there's no active application or administrator-defined allow rule(s), a dialog box prompts the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network:
- If the user has admin permissions, they're prompted. If they respond *No* or cancel the prompt, block rules are created. Two rules are typically created, one each for TCP and UDP traffic
- If the user isn't a local admin and they are prompted, block rules are created. It doesn't matter what option is selected
To disable the notification prompt, you can use the [command line](/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line) or the **Windows Firewall with Advanced Security** console
:::column-end:::
:::column span="2":::
:::image type="content" source="images/uac.png" alt-text="Screenshot showing the User Account Control (UAC) prompt to allow Microsoft Teams." border="false":::

4
windows/security/operating-system-security/network-security/windows-firewall/tools.md
View File

@ -1,7 +1,7 @@
---
title: Windows Firewall tools
title: Windows Firewall Tools
description: Learn about the available tools to configure Windows Firewall and firewall rules.
ms.date: 09/06/2024
ms.date: 04/07/2025
ms.topic: best-practice
---

2
windows/security/operating-system-security/network-security/windows-firewall/troubleshooting-uwp-firewall.md
View File

@ -2,7 +2,7 @@
title: Troubleshooting UWP App Connectivity Issues in Windows Firewall
description: Troubleshooting UWP App Connectivity Issues in Windows Firewall
ms.topic: troubleshooting
ms.date: 09/06/2024
ms.date: 04/07/2025
---
# Troubleshooting UWP App Connectivity Issues

4
windows/security/security-foundations/certification/validations/cc-windows-server-previous.md
View File

@ -63,7 +63,7 @@ The following tables list the completed Common Criteria certifications for Windo
[security-target-april-2014]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf
[security-target-january-2014]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf
[security-target-march-2011]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf
[security-target-july-2009]: https://www.microsoft.com/download/en/details.aspx?id=29305
[security-target-july-2009]: https://www.microsoft.com/download/details.aspx?id=29305
[security-target-july-2009-hyperv]: https://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf
[security-target-august-2009]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf
[security-target-september-2008]: https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf
@ -77,7 +77,7 @@ The following tables list the completed Common Criteria certifications for Windo
[admin-guide-january-2015-pro]: https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx
[admin-guide-april-2014]: https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf
[admin-guide-january-2014]: https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx
[admin-guide-july-2009]: https://www.microsoft.com/download/en/details.aspx?id=29308
[admin-guide-july-2009]: https://www.microsoft.com/download/details.aspx?id=29308
[admin-guide-july-2009-hyperv]: https://www.microsoft.com/en-us/download/details.aspx?id=14252
<!-- Assurance Activity Reports -->

11
windows/whats-new/deprecated-features-resources.md
View File

@ -1,7 +1,7 @@
---
title: Resources for deprecated features in the Windows client
description: Resources and details for deprecated features in the Windows client.
ms.date: 08/14/2024
ms.date: 04/08/2025
ms.service: windows-client
ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
@ -21,6 +21,15 @@ appliesto:
This article provides additional resources about [deprecated features for Windows client](deprecated-features.md) that may be needed by IT professionals. The following information is provided to help IT professionals plan for the removal of deprecated features:
## Windows UWP Map control and Windows Maps platform APIs
In May 2024, we announced the unification of [Bing Maps for Enterprise](https://blogs.bing.com/maps/2024-05/Microsoft-Announces-Vision-for-Next-Generation-of-Enterprise-Maps) with [Azure Maps](https://azure.microsoft.com/products/azure-maps). This means that going forward, Azure Maps will combine the best of Bing Maps for Enterprise and Azure Maps. If your solution uses the Windows UWP Map control, look to move to an Azure Maps based replacement within one year of this deprecation notice rather than the end date for the entire Bing Maps for Enterprise platform. The following resources can help you with this transition:
- [Migrate from Bing Maps to Azure Maps](/azure/azure-maps/migrate-bing-maps-overview)
- [Use the Azure Maps map control](/azure/azure-maps/how-to-use-map-control)
- [Azure Maps code samples](https://samples.azuremaps.com/)
- [Bing Maps Blog](https://blogs.bing.com/maps)
- [Azure Maps Blog](https://techcommunity.microsoft.com/category/azure/blog/azuremapsblog)
## Paint 3D
Paint 3D is deprecated and will be removed from the Microsoft Store on November 4, 2024. Existing installations of Paint 3D will continue to work, but the app will no longer be available for download from the Microsoft Store. If you remove the app, you can reinstall it from the Microsoft Store until November 4, 2024. After that date, Paint 3D will no longer be available for download. Paint 3D was preinstalled on some Windows 10 devices, but wasn't preinstalled on Windows 11 devices. Some alternatives to Paint 3D include:

3
windows/whats-new/deprecated-features.md
View File

@ -1,7 +1,7 @@
---
title: Deprecated features in the Windows client
description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
ms.date: 02/19/2025
ms.date: 04/08/2025
ms.service: windows-client
ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
@ -47,6 +47,7 @@ The features in this article are no longer being actively developed, and might b
| Feature | Details and mitigation | Deprecation announced |
|---|---|---|
| Windows UWP Map control and Windows Maps platform APIs <!--9853556--> | The [Windows UWP Map control](/uwp/api/windows.ui.xaml.controls.maps) and [Windows Maps platform APIs](/uwp/api/windows.services.maps) within Windows have been deprecated as of April 8, 2025. The Maps UWP Control and Maps platform support within Windows will continue to function but will not be updated. For more information, see [Resources for deprecated features](deprecated-features-resources.md#windows-uwp-map-control-and-windows-maps-platform-apis). | April 8, 2025 |
| Line printer daemon (LPR/LPD) <!--9787121--> | Deprecation reminder: [The line printer daemon protocol (LPR/LPD) was deprecated](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831568(v=ws.11)#printing) starting in Windows Server 2012. As removal of the line printer daemon protocol nears, we'd like to remind customers to ensure their environments are prepared for removal. When these features are eventually removed, clients that print to a server using this protocol, such as UNIX clients, will not be able to connect or print. Instead, UNIX clients should use IPP. Windows clients can connect to UNIX shared printers using the [Windows Standard Port Monitor](/troubleshoot/windows-server/printing/standard-port-monitor-for-tcpip). | [Original announcement: Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831568(v=ws.11)#printing) </br> <br> Courtesy reminder: February 2025 |
| Location History <!--9798092--> | We are deprecating and removing the Location History feature, an [API](/uwp/api/windows.devices.geolocation.geolocator.getgeopositionhistoryasync) that allowed Cortana to access 24 hours of device history when location was enabled. With the removal of the Location History feature, location data will no longer be saved locally and the corresponding settings will also be removed from the **Privacy & Security** > **Location** page in **Settings**. | February 2025 |
| Suggested actions <!--9614241-->| Suggested actions that appear when you copy a phone number or future date in Windows 11 are deprecated and will be removed in a future Windows 11 update. | December 2024 |