diff --git a/education/windows/edu-take-a-test-kiosk-mode.md b/education/windows/edu-take-a-test-kiosk-mode.md index 712eec4c91..14a1e7515a 100644 --- a/education/windows/edu-take-a-test-kiosk-mode.md +++ b/education/windows/edu-take-a-test-kiosk-mode.md @@ -1,7 +1,7 @@ --- -title: Configure Take a Test in kiosk mode -description: Learn how to configure Windows to execute the Take a Test app in kiosk mode, using Intune and provisioning packages. -ms.date: 09/06/2024 +title: Configure Take a Test in Kiosk Mode +description: Learn how to configure Windows to execute the Take a Test app in kiosk mode using different methods. +ms.date: 04/07/2025 ms.topic: how-to --- @@ -11,10 +11,11 @@ Executing Take a Test in kiosk mode is the recommended option for high stakes as The configuration of Take a Test in kiosk mode can be done using: -- Microsoft Intune/MDM -- a provisioning package (PPKG) +- Microsoft Intune +- Configuration service provider (CSP) +- A provisioning package (PPKG) - PowerShell -- the Settings app +- The Settings app When using the Settings app, you can configure Take a Test in kiosk mode using a local account only. This option is recommended for devices that aren't managed. The other options allow you to configure Take a Test in kiosk mode using a local account, an account defined in the directory, or a guest account. @@ -26,19 +27,7 @@ The other options allow you to configure Take a Test in kiosk mode using a local Follow the instructions below to configure your devices, selecting the option that best suits your needs. -# [:::image type="icon" source="images/icons/intune.svg"::: **Intune/CSP**](#tab/intune) - -You can use Intune for Education or a custom profile in Microsoft Intune: - -- Intune for Education provides a simpler experience -- A custom profile provides more flexibility and controls over the configuration - -> [!IMPORTANT] -> Currently, the policy created in Intune for Education is applicable to Windows 10 and Windows 11 only. **It will not apply to Windows 11 SE devices.** -> -> If you want to configure Take a Test for Windows 11 SE devices, you must use a custom policy. - -### Configure Take a Test from Intune for Education +# [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) To configure devices using Intune for Education, follow these steps: @@ -51,23 +40,19 @@ To configure devices using Intune for Education, follow these steps: :::image type="content" source="./images/takeatest/intune-education-take-a-test-profile.png" alt-text="Intune for Education - creation of a Take a Test profile." lightbox="./images/takeatest/intune-education-take-a-test-profile.png" border="true"::: -### Configure Take a Test with a custom policy +# [:::image type="icon" source="images/icons/csp.svg"::: **CSP**](#tab/csp) -[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)] +To configure devices using configuration service providers, use the following settings: | Setting | |--------| -|
  • OMA-URI: **`./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn`**
  • Data type: **Integer**
  • Value: **1**
    • | -|
  • OMA-URI: **`./Vendor/MSFT/Policy/Config/WindowsLogon/HideFastUserSwitching`**
  • Data type: **Integer**
  • Value: **1**
    • | -|
  • OMA-URI: **`./Vendor/MSFT/SharedPC/AccountModel`**
  • Data type: **Integer**
  • Value: **1**
    • | -|
  • OMA-URI: **`./Vendor/MSFT/SharedPC/EnableAccountManager`**
  • Data type: **Boolean**
  • Value: **True**
    • | -|
  • OMA-URI: **`./Vendor/MSFT/SharedPC/KioskModeAUMID`**
  • Data type: **String**
  • Value: **Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App**
    • | -|
  • OMA-URI: **`./Vendor/MSFT/SharedPC/KioskModeUserTileDisplayText`**
  • Data type: **String**
  • Value: **Take a Test** (or a string of your choice to display in the sing-in screen)
    • | -|
  • OMA-URI: **`./Vendor/MSFT/SecureAssessment/LaunchURI`**
  • Data type: **String**
  • Value: **\**
    • | - -:::image type="content" source="./images/takeatest/intune-take-a-test-custom-profile.png" alt-text="Intune portal - creation of a custom policy to configure Take a Test." lightbox="./images/takeatest/intune-take-a-test-custom-profile.png" border="true"::: - -[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)] +| - **OMA-URI:** `./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/`[InteractiveLogon_DoNotDisplayLastSignedIn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#interactivelogon_donotdisplaylastsignedin)
    - **Data type:** Integer
    - **Value:** `1`| +| - **OMA-URI:** `./Vendor/MSFT/Policy/Config/WindowsLogon/`[HideFastUserSwitching](/windows/client-management/mdm/policy-csp-windowslogon#hidefastuserswitching)
    - **Data type:** Integer
    - **Value:** `1`| +| - **OMA-URI:** `./Vendor/MSFT/SharedPC/`[AccountModel](/windows/client-management/mdm/sharedpc-csp#accountmodel)
    - **Data type:** Integer
    - **Value:** `1`| +| - **OMA-URI:** `./Vendor/MSFT/SharedPC/`[EnableAccountManager](/windows/client-management/mdm/sharedpc-csp#enableaccountmanager)
    - **Data type:** Boolean
    - **Value:** `True`| +| - **OMA-URI:** `./Vendor/MSFT/SharedPC/`[KioskModeAUMID](/windows/client-management/mdm/sharedpc-csp#kioskmodeaumid)
    - **Data type:** String
    - **Value:** `Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App`| +| - **OMA-URI:** `./Vendor/MSFT/SharedPC/`[KioskModeUserTileDisplayText](/windows/client-management/mdm/sharedpc-csp#KioskModeUserTileDisplayText)
    - **Data type:** String
    - **Value:** **Take a Test** (or a string of your choice to display in the sing-in screen)| +| - **OMA-URI:** `./Vendor/MSFT/SecureAssessment/`[LaunchURI](/windows/client-management/mdm/sharedpc-csp#LaunchURI)
    - **Data type:** String
    - **Value:** \| # [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) @@ -88,13 +73,13 @@ Create a provisioning package using the Set up School PCs app, configuring the s | Setting | |--------| -|
  • Path: **`Policies/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn`**
  • Value: **Enabled**
    • | -|
  • Path: **`Policies/WindowsLogon/HideFastUserSwitching`**
  • Value: **True**
    • | -|
  • Path: **`SharedPC/AccountManagement/AccountModel`**
  • Value: **Domain-joined only**
    • | -|
  • Path: **`SharedPC/AccountManagement/EnableAccountManager`**
  • Value: **True**
    • | -|
  • Path: **`SharedPC/AccountManagement/KioskModeAUMID`**
  • Value: **Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App**
    • | -|
  • Path: **`SharedPC/AccountManagement/KioskModeUserTileDisplayText`**
  • Value: **Take a Test** (or a string of your choice to display in the sing-in screen)
    • | -|
  • Path: **`TakeATest/LaunchURI/`**
  • Value: **\**
    • | +| - Path: `Policies/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn`
    - **Value:** `Enabled`| +| - Path: `Policies/WindowsLogon/HideFastUserSwitching`
    - **Value:** True| +| - Path: `SharedPC/AccountManagement/AccountModel`
    - **Value:** Domain-joined only| +| - Path: `SharedPC/AccountManagement/EnableAccountManager`
    - **Value:** True| +| - Path: `SharedPC/AccountManagement/KioskModeAUMID`
    - **Value:** **Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App**| +| - Path: `SharedPC/AccountManagement/KioskModeUserTileDisplayText`
    - **Value:** Take a Test (or a string of your choice to display in the sing-in screen)| +| - Path: `TakeATest/LaunchURI/`
    - **Value:** \| :::image type="content" source="./images/takeatest/wcd-take-a-test.png" alt-text="Windows Configuration Designer - configuration of policies to enable Take a Test to run in kiosk mode" lightbox="./images/takeatest/wcd-take-a-test.png" border="true"::: diff --git a/education/windows/images/icons/csp.svg b/education/windows/images/icons/csp.svg new file mode 100644 index 0000000000..6baa611d0f --- /dev/null +++ b/education/windows/images/icons/csp.svg @@ -0,0 +1,10 @@ + + + + + + + + + + diff --git a/education/windows/images/takeatest/intune-take-a-test-custom-profile.png b/education/windows/images/takeatest/intune-take-a-test-custom-profile.png deleted file mode 100644 index 71e94646ec..0000000000 Binary files a/education/windows/images/takeatest/intune-take-a-test-custom-profile.png and /dev/null differ diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index 244868ff4c..4633fbdfc4 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -1,7 +1,7 @@ --- -title: Take a Test app technical reference +title: Take a Test App Technical Reference description: List of policies and settings applied by the Take a Test app. -ms.date: 09/06/2024 +ms.date: 04/07/2025 ms.topic: reference --- diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 5934d85fb5..02e1bc5257 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -1,7 +1,7 @@ --- title: BitLocker CSP description: Learn more about the BitLocker CSP. -ms.date: 03/12/2025 +ms.date: 04/04/2025 ms.topic: generated-reference --- @@ -175,7 +175,7 @@ The expected values for this policy are: 1 = This is the default, when the policy isn't set. Warning prompt and encryption notification is allowed. -0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, the value 0 only takes effect on Microsoft Entra joined devices. +0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, the value 0 only takes effect on Entra ID joined devices. Windows will attempt to silently enable BitLocker for value 0. @@ -209,7 +209,7 @@ Windows will attempt to silently enable BitLocker for value 0. | Value | Description | |:--|:--| -| 0 | Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Microsoft Entra joined devices. Windows will attempt to silently enable BitLocker for value 0. | +| 0 | Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Entra ID joined devices. Windows will attempt to silently enable BitLocker for value 0. | | 1 (Default) | Warning prompt allowed. | @@ -251,9 +251,9 @@ Windows will attempt to silently enable BitLocker for value 0. -Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on Microsoft Entra ID and hybrid domain joined devices. +Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on Entra ID and hybrid domain joined devices. -When not configured, Rotation is turned on by default for Microsoft Entra ID only and off on hybrid. The Policy will be effective only when Active Directory back up for recovery password is configured to required. +When not configured, Rotation is turned on by default for Entra ID only and off on hybrid. The Policy will be effective only when Active Directory back up for recovery password is configured to required. For OS drive: Turn on "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives". @@ -261,8 +261,8 @@ For Fixed drives: Turn on "Do not enable BitLocker until recovery information is Supported Values: 0 - Numeric Recovery Passwords rotation OFF. -1 - Numeric Recovery Passwords Rotation upon use ON for Microsoft Entra joined devices. Default value -2 - Numeric Recovery Passwords Rotation upon use ON for both Microsoft Entra ID and hybrid devices. +1 - Numeric Recovery Passwords Rotation upon use ON for Entra ID joined devices. Default value +2 - Numeric Recovery Passwords Rotation upon use ON for both Entra ID and hybrid devices. @@ -285,8 +285,8 @@ Supported Values: 0 - Numeric Recovery Passwords rotation OFF. | Value | Description | |:--|:--| | 0 (Default) | Refresh off (default). | -| 1 | Refresh on for Microsoft Entra joined devices. | -| 2 | Refresh on for both Microsoft Entra joined and hybrid-joined devices. | +| 1 | Refresh on for Entra ID-joined devices. | +| 2 | Refresh on for both Entra ID-joined and hybrid-joined devices. | @@ -1212,7 +1212,7 @@ Disabling the policy won't turn off the encryption on the storage card. But will -Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on a Microsoft Entra ID or hybrid-joined device. +Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Entra ID or hybrid-joined device. This policy is Execute type and rotates all numeric passwords when issued from MDM tools. diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md index c8dd0ba91c..5297684368 100644 --- a/windows/client-management/mdm/bitlocker-ddf-file.md +++ b/windows/client-management/mdm/bitlocker-ddf-file.md @@ -1,7 +1,7 @@ --- title: BitLocker DDF file description: View the XML file containing the device description framework (DDF) for the BitLocker configuration service provider. -ms.date: 02/13/2025 +ms.date: 04/04/2025 ms.topic: generated-reference --- @@ -580,7 +580,7 @@ The following XML file contains the device description framework (DDF) for the B 1 = This is the default, when the policy is not set. Warning prompt and encryption notification is allowed. 0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, - the value 0 only takes affect on Azure Active Directory joined devices. + the value 0 only takes affect on Entra ID joined devices. Windows will attempt to silently enable BitLocker for value 0. If you want to disable this policy use the following SyncML: @@ -600,7 +600,7 @@ The following XML file contains the device description framework (DDF) for the B 0 - Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0. + Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Entra ID joined devices. Windows will attempt to silently enable BitLocker for value 0. 1 @@ -680,15 +680,15 @@ The following XML file contains the device description framework (DDF) for the B 0 - Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on AAD and Hybrid domain joined devices. - When not configured, Rotation is turned on by default for AAD only and off on Hybrid. The Policy will be effective only when + Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on Entra ID and Hybrid domain joined devices. + When not configured, Rotation is turned on by default for Entra ID only and off on Hybrid. The Policy will be effective only when Active Directory back up for recovery password is configured to required. For OS drive: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for operating system drives" For Fixed drives: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for fixed data drives" Supported Values: 0 - Numeric Recovery Passwords rotation OFF. - 1 - Numeric Recovery Passwords Rotation upon use ON for AAD joined devices. Default value - 2 - Numeric Recovery Passwords Rotation upon use ON for both AAD and Hybrid devices + 1 - Numeric Recovery Passwords Rotation upon use ON for Entra ID joined devices. Default value + 2 - Numeric Recovery Passwords Rotation upon use ON for both Entra ID and Hybrid devices If you want to disable this policy use the following SyncML: @@ -716,11 +716,11 @@ The following XML file contains the device description framework (DDF) for the B 1 - Refresh on for Azure AD-joined devices + Refresh on for Entra ID-joined devices 2 - Refresh on for both Azure AD-joined and hybrid-joined devices + Refresh on for both Entra ID-joined and hybrid-joined devices @@ -731,7 +731,7 @@ The following XML file contains the device description framework (DDF) for the B - Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Azure Active Directory or hybrid-joined device. + Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Entra ID or hybrid-joined device. This policy is Execute type and rotates all numeric passwords when issued from MDM tools. The policy only comes into effect when Active Directory backup for a recovery password is configured to "required." diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index 88cf7531a8..2ff47c6b70 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -1,7 +1,7 @@ --- title: Firewall CSP description: Learn more about the Firewall CSP. -ms.date: 03/12/2025 +ms.date: 04/04/2025 ms.topic: generated-reference --- @@ -1896,9 +1896,7 @@ New rules have the EdgeTraversal property disabled by default. -Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. - -If not specified - a new rule is disabled by default. +Indicates whether the rule is enabled or disabled. If not specified - a new rule is enabled by default. @@ -3254,9 +3252,7 @@ If not specified the default is OUT. -Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. - -If not specified - a new rule is disabled by default. +Indicates whether the rule is enabled or disabled. If not specified - a new rule is enabled by default. diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md index d0cc7b9d7c..5ec78fee84 100644 --- a/windows/client-management/mdm/firewall-ddf-file.md +++ b/windows/client-management/mdm/firewall-ddf-file.md @@ -1,7 +1,7 @@ --- title: Firewall DDF file description: View the XML file containing the device description framework (DDF) for the Firewall configuration service provider. -ms.date: 02/13/2025 +ms.date: 04/04/2025 ms.topic: generated-reference --- @@ -4060,8 +4060,7 @@ An IPv6 address range in the format of "start address - end address" with no spa - Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. -If not specified - a new rule is disabled by default. + Indicates whether the rule is enabled or disabled. If not specified - a new rule is enabled by default. @@ -4760,8 +4759,7 @@ An IPv6 address range in the format of "start address - end address" with no spa - Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. -If not specified - a new rule is disabled by default. + Indicates whether the rule is enabled or disabled. If not specified - a new rule is enabled by default. diff --git a/windows/client-management/mdm/policies-in-preview.md b/windows/client-management/mdm/policies-in-preview.md index 26e00d9b59..6aaae7383f 100644 --- a/windows/client-management/mdm/policies-in-preview.md +++ b/windows/client-management/mdm/policies-in-preview.md @@ -1,7 +1,7 @@ --- title: Configuration service provider preview policies description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview. -ms.date: 03/26/2025 +ms.date: 04/04/2025 ms.topic: generated-reference --- @@ -23,6 +23,7 @@ This article lists the policies that are applicable for Windows Insider Preview ## ApplicationManagement - [AllowedNonAdminPackageFamilyNameRules](policy-csp-applicationmanagement.md#allowednonadminpackagefamilynamerules) +- [ConfigureMSIXAuthenticationAuthorizedDomains](policy-csp-applicationmanagement.md#configuremsixauthenticationauthorizeddomains) ## ClientCertificateInstall CSP @@ -92,9 +93,8 @@ This article lists the policies that are applicable for Windows Insider Preview ## HumanPresence -- [ForcePrivacyScreen](policy-csp-humanpresence.md#forceprivacyscreen) -- [ForcePrivacyScreenDim](policy-csp-humanpresence.md#forceprivacyscreendim) -- [ForcePrivacyScreenNotification](policy-csp-humanpresence.md#forceprivacyscreennotification) +- [ForceOnlookerDetection](policy-csp-humanpresence.md#forceonlookerdetection) +- [ForceOnlookerDetectionAction](policy-csp-humanpresence.md#forceonlookerdetectionaction) ## InternetExplorer @@ -111,6 +111,16 @@ This article lists the policies that are applicable for Windows Insider Preview - [StartInstallation](language-pack-management-csp.md#installlanguage-idstartinstallation) - [SystemPreferredUILanguages](language-pack-management-csp.md#languagesettingssystempreferreduilanguages) +## LanmanWorkstation + +- [AuditInsecureGuestLogon](policy-csp-lanmanworkstation.md#auditinsecureguestlogon) +- [AuditServerDoesNotSupportEncryption](policy-csp-lanmanworkstation.md#auditserverdoesnotsupportencryption) +- [AuditServerDoesNotSupportSigning](policy-csp-lanmanworkstation.md#auditserverdoesnotsupportsigning) +- [EnableMailslots](policy-csp-lanmanworkstation.md#enablemailslots) +- [MaxSmb2Dialect](policy-csp-lanmanworkstation.md#maxsmb2dialect) +- [MinSmb2Dialect](policy-csp-lanmanworkstation.md#minsmb2dialect) +- [RequireEncryption](policy-csp-lanmanworkstation.md#requireencryption) + ## LocalPoliciesSecurityOptions - [InteractiveLogon_NumberOfPreviousLogonsToCache](policy-csp-localpoliciessecurityoptions.md#interactivelogon_numberofpreviouslogonstocache) @@ -133,6 +143,10 @@ This article lists the policies that are applicable for Windows Insider Preview - [DisablePostLogonProvisioning](passportforwork-csp.md#devicetenantidpoliciesdisablepostlogonprovisioning) +## Power + +- [EnableEnergySaver](policy-csp-power.md#enableenergysaver) + ## Printers - [ConfigureIppTlsCertificatePolicy](policy-csp-printers.md#configureipptlscertificatepolicy) @@ -165,6 +179,10 @@ This article lists the policies that are applicable for Windows Insider Preview - [ExchangeModernAuthEnabled](surfacehub-csp.md#deviceaccountexchangemodernauthenabled) +## System + +- [DisableCHPE](policy-csp-system.md#disablechpe) + ## TextInput - [TouchKeyboardControllerModeAvailability](policy-csp-textinput.md#touchkeyboardcontrollermodeavailability) @@ -180,10 +198,12 @@ This article lists the policies that are applicable for Windows Insider Preview ## WindowsAI +- [DisableAIDataAnalysis](policy-csp-windowsai.md#disableaidataanalysis) - [SetDenyAppListForRecall](policy-csp-windowsai.md#setdenyapplistforrecall) - [SetDenyUriListForRecall](policy-csp-windowsai.md#setdenyurilistforrecall) - [SetMaximumStorageSpaceForRecallSnapshots](policy-csp-windowsai.md#setmaximumstoragespaceforrecallsnapshots) - [SetMaximumStorageDurationForRecallSnapshots](policy-csp-windowsai.md#setmaximumstoragedurationforrecallsnapshots) +- [DisableClickToDo](policy-csp-windowsai.md#disableclicktodo) - [DisableImageCreator](policy-csp-windowsai.md#disableimagecreator) - [DisableCocreator](policy-csp-windowsai.md#disablecocreator) - [DisableGenerativeFill](policy-csp-windowsai.md#disablegenerativefill) diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index dd90381449..d47b411cde 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -1,7 +1,7 @@ --- title: ApplicationManagement Policy CSP description: Learn more about the ApplicationManagement Area in Policy CSP. -ms.date: 03/12/2025 +ms.date: 04/04/2025 ms.topic: generated-reference --- @@ -635,6 +635,54 @@ Manages non-Administrator users' ability to install Windows app packages. + +## ConfigureMSIXAuthenticationAuthorizedDomains + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ❌ Pro
    ✅ Enterprise
    ✅ Education
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/ConfigureMSIXAuthenticationAuthorizedDomains +``` + + + + +Defines a regular expression in ECMA Script. When performing a streaming MSIX install, if this regular expression matches the domain name (uppercased) then the user's EntraID OAuth token will be attached to the request. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `chr` (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureMSIXAuthenticationAuthorizedDomains | +| Path | AppxPackageManager > AT > WindowsComponents > AppxDeployment | + + + + + + + + ## DisableStoreOriginatedApps diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 52b51b48ac..55a3527bd5 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -1,7 +1,7 @@ --- title: Defender Policy CSP description: Learn more about the Defender Area in Policy CSP. -ms.date: 03/12/2025 +ms.date: 04/04/2025 ms.topic: generated-reference --- @@ -728,7 +728,7 @@ This policy setting allows you to configure scheduled scans and on-demand (manua |:--|:--| | Format | `int` | | Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | +| Default Value | 1 | @@ -736,8 +736,8 @@ This policy setting allows you to configure scheduled scans and on-demand (manua | Value | Description | |:--|:--| -| 0 (Default) | Not allowed. Turns off scanning of network files. | -| 1 | Allowed. Scans network files. | +| 0 | Not allowed. Turns off scanning of network files. | +| 1 (Default) | Allowed. Scans network files. | diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md index 1b7009e02c..cb3dfdf1a2 100644 --- a/windows/client-management/mdm/policy-csp-humanpresence.md +++ b/windows/client-management/mdm/policy-csp-humanpresence.md @@ -1,7 +1,7 @@ --- title: HumanPresence Policy CSP description: Learn more about the HumanPresence Area in Policy CSP. -ms.date: 03/12/2025 +ms.date: 04/04/2025 ms.topic: generated-reference --- @@ -529,31 +529,31 @@ Determines the timeout for Lock on Leave forced by the MDM policy. The user will - -## ForcePrivacyScreen + +## ForceOnlookerDetection - + | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | - + - + ```Device -./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreen +./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForceOnlookerDetection ``` - + - + Determines whether detect when other people are looking at my screen is forced on/off by the MDM policy. The user won't be able to change this setting and the UI will be greyed out. - + - + - + - + **Description framework properties**: | Property name | Property value | @@ -561,9 +561,9 @@ Determines whether detect when other people are looking at my screen is forced o | Format | `int` | | Access Type | Add, Delete, Get, Replace | | Default Value | 0 | - + - + **Allowed values**: | Value | Description | @@ -571,48 +571,48 @@ Determines whether detect when other people are looking at my screen is forced o | 2 | ForcedOff. | | 1 | ForcedOn. | | 0 (Default) | DefaultToUserChoice. | - + - + **Group policy mapping**: | Name | Value | |:--|:--| -| Name | ForcePrivacyScreen | +| Name | ForceOnlookerDetection | | Path | Sensors > AT > WindowsComponents > HumanPresence | - + - + - + - + - -## ForcePrivacyScreenDim + +## ForceOnlookerDetectionAction - + | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | - + - + ```Device -./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreenDim +./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForceOnlookerDetectionAction ``` - + - + -Determines whether dim the screen when other people are looking at my screen checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out. - +Determines whether the Onlooker Detection action is forced by the MDM policy. The user won't be able to change this setting and the toggle in the UI will be greyed out. + - + - + - + **Description framework properties**: | Property name | Property value | @@ -620,91 +620,33 @@ Determines whether dim the screen when other people are looking at my screen che | Format | `int` | | Access Type | Add, Delete, Get, Replace | | Default Value | 0 | - + - + **Allowed values**: | Value | Description | |:--|:--| -| 2 | ForcedUnchecked. | -| 1 | ForcedChecked. | +| 3 | ForcedDimAndNotify. | +| 2 | ForcedNotify. | +| 1 | ForcedDim. | | 0 (Default) | DefaultToUserChoice. | - + - + **Group policy mapping**: | Name | Value | |:--|:--| -| Name | ForcePrivacyScreenDim | +| Name | ForceOnlookerDetectionAction | | Path | Sensors > AT > WindowsComponents > HumanPresence | - + - + - + - - - -## ForcePrivacyScreenNotification - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreenNotification -``` - - - - -Determines whether providing alert when people are looking at my screen checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | `int` | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 2 | ForcedUnchecked. | -| 1 | ForcedChecked. | -| 0 (Default) | DefaultToUserChoice. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | ForcePrivacyScreenNotification | -| Path | Sensors > AT > WindowsComponents > HumanPresence | - - - - - - - + diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md index c854a7c214..1dab53713b 100644 --- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md @@ -1,7 +1,7 @@ --- title: LanmanWorkstation Policy CSP description: Learn more about the LanmanWorkstation Area in Policy CSP. -ms.date: 03/12/2025 +ms.date: 04/04/2025 ms.topic: generated-reference --- @@ -10,10 +10,213 @@ ms.topic: generated-reference # Policy CSP - LanmanWorkstation +[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] + + +## AuditInsecureGuestLogon + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later
    ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/AuditInsecureGuestLogon +``` + + + + +This policy controls whether the SMB client will enable the audit event when the client is logged-on as guest account. + +- If you enable this policy setting, the SMB client will log the event when the client is logged-on as guest account. + +- If you disable or don't configure this policy setting, the SMB client won't log the event. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_AuditInsecureGuestLogon | +| Friendly Name | Audit insecure guest logon | +| Location | Computer Configuration | +| Path | Network > Lanman Workstation | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation | +| Registry Value Name | AuditInsecureGuestLogon | +| ADMX File Name | LanmanWorkstation.admx | + + + + + + + + + +## AuditServerDoesNotSupportEncryption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later
    ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/AuditServerDoesNotSupportEncryption +``` + + + + +This policy controls whether the SMB client will enable the audit event when the SMB server doesn't support encryption. + +- If you enable this policy setting, the SMB client will log the event when the SMB server doesn't support encryption. + +- If you disable or don't configure this policy setting, the SMB client won't log the event. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_AuditServerDoesNotSupportEncryption | +| Friendly Name | Audit server does not support encryption | +| Location | Computer Configuration | +| Path | Network > Lanman Workstation | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation | +| Registry Value Name | AuditServerDoesNotSupportEncryption | +| ADMX File Name | LanmanWorkstation.admx | + + + + + + + + + +## AuditServerDoesNotSupportSigning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later
    ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/AuditServerDoesNotSupportSigning +``` + + + + +This policy controls whether the SMB client will enable the audit event when the SMB server doesn't support signing. + +- If you enable this policy setting, the SMB client will log the event when the SMB server doesn't support signing. + +- If you disable or don't configure this policy setting, the SMB client won't log the event. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_AuditServerDoesNotSupportSigning | +| Friendly Name | Audit server does not support signing | +| Location | Computer Configuration | +| Path | Network > Lanman Workstation | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation | +| Registry Value Name | AuditServerDoesNotSupportSigning | +| ADMX File Name | LanmanWorkstation.admx | + + + + + + + + ## EnableInsecureGuestLogons @@ -85,6 +288,282 @@ Insecure guest logons are used by file servers to allow unauthenticated access t + +## EnableMailslots + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later
    ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/EnableMailslots +``` + + + + +This policy controls whether the SMB client will enable or disable remote mailslots over MUP. + +- If you disable this policy setting, remote mailslots won't function over MUP, hence they won't go through the SMB client redirector. + +- If you don't configure this policy setting, remote mailslots may be allowed through MUP. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_EnableMailslots | +| Friendly Name | Enable remote mailslots | +| Location | Computer Configuration | +| Path | Network > Lanman Workstation | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkProvider | +| Registry Value Name | EnableMailslots | +| ADMX File Name | LanmanWorkstation.admx | + + + + + + + + + +## MaxSmb2Dialect + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later
    ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/MaxSmb2Dialect +``` + + + + +This policy controls the maximum version of SMB protocol. + +> [!NOTE] +> This group policy doesn't prevent use of SMB 1 if that component is still installed and enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 785 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 514 | SMB 2.0.2. | +| 528 | SMB 2.1.0. | +| 768 | SMB 3.0.0. | +| 770 | SMB 3.0.2. | +| 785 (Default) | SMB 3.1.1. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MaxSmb2Dialect | +| Friendly Name | Mandate the maximum version of SMB | +| Location | Computer Configuration | +| Path | Network > Lanman Workstation | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation | +| ADMX File Name | LanmanWorkstation.admx | + + + + + + + + + +## MinSmb2Dialect + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later
    ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/MinSmb2Dialect +``` + + + + +This policy controls the minimum version of SMB protocol. + +> [!NOTE] +> This group policy doesn't prevent use of SMB 1 if that component is still installed and enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 514 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 514 (Default) | SMB 2.0.2. | +| 528 | SMB 2.1.0. | +| 768 | SMB 3.0.0. | +| 770 | SMB 3.0.2. | +| 785 | SMB 3.1.1. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MinSmb2Dialect | +| Friendly Name | Mandate the minimum version of SMB | +| Location | Computer Configuration | +| Path | Network > Lanman Workstation | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation | +| ADMX File Name | LanmanWorkstation.admx | + + + + + + + + + +## RequireEncryption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later
    ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/RequireEncryption +``` + + + + +This policy controls whether the SMB client will require encryption. + +- If you enable this policy setting, the SMB client will require the SMB server to support encryption and encrypt the data. + +- If you disable or don't configure this policy setting, the SMB client won't require encryption. However, SMB encryption may still be required; see notes below. + +> [!NOTE] +> This policy is combined with per-share, per-server, and per mapped drive connection properties, through which SMB encryption may be required. The SMB server must support and enable SMB encryption. For example, should this policy be disabled (or not configured), the SMB client may still perform encryption if an SMB server share has required encryption. + +> [!IMPORTANT] +> SMB encryption requires SMB 3.0 or later. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_RequireEncryption | +| Friendly Name | Require Encryption | +| Location | Computer Configuration | +| Path | Network > Lanman Workstation | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation | +| Registry Value Name | RequireEncryption | +| ADMX File Name | LanmanWorkstation.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index c1c09fc80e..5054b018b5 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -1,7 +1,7 @@ --- title: Power Policy CSP description: Learn more about the Power Area in Policy CSP. -ms.date: 03/12/2025 +ms.date: 04/04/2025 ms.topic: generated-reference --- @@ -12,6 +12,8 @@ ms.topic: generated-reference [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)] +[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] + @@ -307,6 +309,64 @@ If the user has configured a slide show to run on the lock screen when the machi + +## EnableEnergySaver + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/EnableEnergySaver +``` + + + + +This policy will extend battery life and reduce energy consumption by enabling Energy Saver to always be on. Energy Saver will always be on for desktops as well as laptops regardless of battery level for both AC and DC. If you disable or don't configure this policy setting, then Energy Saver will turn on based on the EnergySaverBatteryThreshold group policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disable energy saver policy. | +| 1 (Default) | Enable energy saver always-on mode. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableEnergySaver | +| Path | Power > AT > System > PowerManagementCat > EnergySaverSettingsCat | + + + + + + + + ## EnergySaverBatteryThresholdOnBattery @@ -344,6 +404,7 @@ This policy setting allows you to specify battery charge level at which Energy S | Access Type | Add, Delete, Get, Replace | | Allowed Values | Range: `[0-100]` | | Default Value | 0 | +| Dependency [Power_EnergySaverBatteryThresholdOnBattery_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `./Device/Vendor/MSFT/Policy/Config/Power/EnableEnergySaver`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | @@ -403,6 +464,7 @@ This policy setting allows you to specify battery charge level at which Energy S | Access Type | Add, Delete, Get, Replace | | Allowed Values | Range: `[0-100]` | | Default Value | 0 | +| Dependency [Power_EnergySaverBatteryThresholdPluggedIn_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `./Device/Vendor/MSFT/Policy/Config/Power/EnableEnergySaver`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index e26854737a..01fd23ea15 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -1,7 +1,7 @@ --- title: System Policy CSP description: Learn more about the System Area in Policy CSP. -ms.date: 03/12/2025 +ms.date: 04/04/2025 ms.topic: generated-reference --- @@ -12,6 +12,8 @@ ms.topic: generated-reference [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)] +[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] + @@ -1195,6 +1197,59 @@ If you don't configure this policy setting, or you set it to "Enable diagnostic + +## DisableCHPE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/System/DisableCHPE +``` + + + + +This policy setting controls whether loading CHPE binaries is disabled on the ARM64 device. This policy has no effect on x64 devices. + +- If you enable this policy setting, ARM64 devices won't load CHPE binaries. This setting is required for hotpatching on ARM64 devices. + +- If you disable or don't configure this policy setting, ARM64 devices will load CHPE binaries. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | CHPE Binaries Enabled (Default). | +| 1 | CHPE Binaries Disabled. | + + + + + + + + ## DisableDeviceDelete diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 1af5508754..dba323106b 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1,7 +1,7 @@ --- title: Update Policy CSP description: Learn more about the Update Area in Policy CSP. -ms.date: 03/12/2025 +ms.date: 04/04/2025 ms.topic: generated-reference --- @@ -2054,7 +2054,7 @@ Enables the IT admin to manage automatic update behavior to scan, download, and | Value | Description | |:--|:--| | 0 | Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. | -| 1 | Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that don't shutdown properly on restart. | +| 1 | Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. After the update is installed, if the user hasn't scheduled a restart, the device will attempt to restart automatically. The user will be notified about the scheduled restart and can reschedule it if the proposed time is inconvenient. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that don't shutdown properly on restart. | | 2 (Default) | Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shutdown properly on restart. | | 3 | Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. | | 4 | Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only. | diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md index af569e0d56..555128e610 100644 --- a/windows/client-management/mdm/reboot-ddf-file.md +++ b/windows/client-management/mdm/reboot-ddf-file.md @@ -1,7 +1,7 @@ --- title: Reboot DDF file description: View the XML file containing the device description framework (DDF) for the Reboot configuration service provider. -ms.date: 02/13/2025 +ms.date: 04/04/2025 ms.topic: generated-reference --- @@ -96,7 +96,7 @@ The following XML file contains the device description framework (DDF) for the R - Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. Both the date and time are required. A reboot will be scheduled to occur at the specified date and time. Setting a null (empty) date will delete the existing schedule. + Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. Both the date and time are required. A reboot will be scheduled to occur at the specified date and time. Setting a null (empty) date will delete the existing schedule. @@ -123,7 +123,7 @@ The following XML file contains the device description framework (DDF) for the R - Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. While it is supported to set either DailyRecurrent or WeeklyRecurrent schedules, it is not supported to enable both settings simultaneously. A reboot will be scheduled to occur every day at the configured time starting at the specified date and time. Setting a null (empty) date will delete the existing schedule. + Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. While it is supported to set either DailyRecurrent or WeeklyRecurrent schedules, it is not supported to enable both settings simultaneously. A reboot will be scheduled to occur every day at the configured time starting at the specified date and time. Setting a null (empty) date will delete the existing schedule. @@ -150,7 +150,7 @@ The following XML file contains the device description framework (DDF) for the R - Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. While it is supported to set either DailyRecurrent or WeeklyRecurrent schedules, it is not supported to enable both settings simultaneously. A reboot will be scheduled to occur every week at the configured day and time starting at the specified date and time. Setting a null (empty) date will delete the existing schedule. + Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. While it is supported to set either DailyRecurrent or WeeklyRecurrent schedules, it is not supported to enable both settings simultaneously. A reboot will be scheduled to occur every week at the configured day and time starting at the specified date and time. Setting a null (empty) date will delete the existing schedule. diff --git a/windows/configuration/start/layout.md b/windows/configuration/start/layout.md index 1e7aad75a5..0561559926 100644 --- a/windows/configuration/start/layout.md +++ b/windows/configuration/start/layout.md @@ -470,7 +470,7 @@ You can configure devices using the [Start CSP][WIN-1]. Use one of the following [!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)] -- **Path:** `Policies/Start/StartLayout` +- **Path:** Policies > Start > StartLayout - **Value:** content of the XML file > [!NOTE] diff --git a/windows/deployment/do/mcc-ent-deploy-to-linux.md b/windows/deployment/do/mcc-ent-deploy-to-linux.md index 8280d47b34..14a501e31c 100644 --- a/windows/deployment/do/mcc-ent-deploy-to-linux.md +++ b/windows/deployment/do/mcc-ent-deploy-to-linux.md @@ -28,7 +28,7 @@ Before deploying Connected Cache to a Linux host machine, ensure that the host m 1. Open a command line window *as administrator* on the host machine, then change directory to the extracted provisioning package. >[!Note] - >* If you are deploying your cache node to a Linux host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and add `proxyTlsCertificatePath="/path/to/pem/file"` to the provisioning command. + >* If you're deploying your cache node to a host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and then add `proxytlscertificatepath="/path/to/pem/file"` to the provisioning command. 1. Set access permissions to allow the `provisionmcc.sh` script within the provisioning package directory to execute. 1. Run the provisioning command on the host machine. @@ -47,8 +47,8 @@ To deploy a cache node programmatically, you'll need to use Azure CLI to get the 1. Download and extract the [Connected Cache provisioning package for Linux](https://aka.ms/MCC-Ent-InstallScript-Linux) to your host machine. 1. Open a command line window *as administrator* on the host machine, then change directory to the extracted provisioning package. - >[!Note] - >* If you are deploying your cache node to a host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and add `proxyTlsCertificatePath="/path/to/pem/file"` to the provisioning command. + > [!Note] + >* If you're deploying your cache node to a host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and then add `proxytlscertificatepath="/path/to/pem/file"` to the provisioning command. 1. Set access permissions to allow the `provisionmcc.sh` script within the provisioning package directory to execute. 1. Replace the values in the following provisioning command before running it on the host machine. diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index 59d11c87f8..8ea753be60 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -14,7 +14,7 @@ appliesto: - ✅ Windows 11 - ✅ Windows 10 - ✅ Delivery Optimization -ms.date: 10/15/2024 +ms.date: 04/03/2025 --- # Delivery Optimization reference @@ -335,6 +335,8 @@ Configure this policy to designate Delivery Optimization in Network Cache server > [!NOTE] > If you format the DHCP Option ID incorrectly, the client will fall back to the Cache Server Hostname policy value if that value has been configured. +> +> If the [LocalPolicyMerge](/windows/security/operating-system-security/network-security/windows-firewall/rules#local-policy-merge-and-application-rules) setting is configured, such as part of security baselines, it can impact DHCP client and prevent it from retrieving this DHCP option, especially in Autopilot scenarios. ### Maximum foreground download bandwidth (in KB/s) diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md index c52b1fff78..53fd47a91e 100644 --- a/windows/deployment/do/waas-delivery-optimization.md +++ b/windows/deployment/do/waas-delivery-optimization.md @@ -15,7 +15,7 @@ ms.localizationpriority: medium appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 05/23/2024 +ms.date: 04/03/2025 --- # What is Delivery Optimization? @@ -47,9 +47,6 @@ The following table lists the minimum Windows 10 version that supports Delivery #### Windows Client -> [!NOTE] -> Starting March 4, 2025, Edge Browser updates will temporarily not utilize Delivery Optimization for downloads. We are actively working to resolve this issue. - | Windows Client | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache | |------------------|---------------|----------------|----------|----------------| | Windows Update ([feature updates quality updates, language packs, drivers](../update/get-started-updates-channels-tools.md#types-of-updates)) | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | @@ -58,7 +55,7 @@ The following table lists the minimum Windows 10 version that supports Delivery | Windows Defender definition updates | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Intune Win32 apps| Windows 10 1709, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Microsoft 365 Apps and updates | Windows 10 1709, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | -| Edge Browser Updates | Windows 10 1809, Windows 11 | | | | +| Edge Browser Updates | Windows 10 1809, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Configuration Manager Express updates| Windows 10 1709 + Configuration Manager version 1711, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Dynamic updates| Windows 10 1903, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | MDM Agent | Windows 11 | :heavy_check_mark: | | | diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index 51a6fb4e62..2e0fd5f1de 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -4,7 +4,7 @@ description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR) ms.service: windows-client author: frankroj ms.author: frankroj -ms.date: 11/26/2024 +ms.date: 04/08/2024 manager: aaroncz ms.localizationpriority: high ms.topic: how-to @@ -19,9 +19,11 @@ appliesto: # MBR2GPT.EXE -**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows operating system (OS) by using the **`/allowFullOS`** option. +> [!IMPORTANT] +> +> **MBR2GPT.EXE** is located in the **`Windows\System32`** directory on any device running a [currently supported version of Windows](/windows/release-health/supported-versions-windows-client). -**MBR2GPT.EXE** is located in the **`Windows\System32`** directory on a computer running Windows. +**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows operating system (OS) by using the **`/allowFullOS`** option. The tool is available in both the full OS environment and Windows PE. @@ -451,22 +453,22 @@ The partition type can be determined with the DiskPart tool. The DiskPart tool i 1. The partition type is displayed in the **Gpt** column. If the partition is GPT, an asterisk (**\***) is displayed in the column. If the partition is MBR, the column is blank. -The following shows an example output of the DiskPart tool showing the partition type for two disks: + The following shows an example output of the DiskPart tool showing the partition type for two disks: -```cmd -X:\>DiskPart.exe + ```cmd + X:\>DiskPart.exe -Microsoft DiskPart version 10.0.15048.0 + Microsoft DiskPart version 10.0.15048.0 -Copyright (C) Microsoft Corporation. -On computer: MININT-K71F13N + Copyright (C) Microsoft Corporation. + On computer: MININT-K71F13N -DISKPART> list disk + DISKPART> list disk - Disk ### Status Size Free Dyn Gpt - -------- ------------- ------- ------- --- --- - Disk 0 Online 238 GB 0 B - Disk 1 Online 931 GB 0 B * -``` + Disk ### Status Size Free Dyn Gpt + -------- ------------- ------- ------- --- --- + Disk 0 Online 238 GB 0 B + Disk 1 Online 931 GB 0 B * + ``` In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is formatted using GPT. diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md index 78f9f1690b..34fd512807 100644 --- a/windows/deployment/upgrade/log-files.md +++ b/windows/deployment/upgrade/log-files.md @@ -1,257 +1,257 @@ ---- -title: Log files and resolving upgrade errors -description: Learn how to interpret and analyze the log files that are generated during the Windows upgrade process. -ms.service: windows-client -author: frankroj -manager: aaroncz -ms.author: frankroj -ms.localizationpriority: medium -ms.topic: troubleshooting -ms.collection: - - highpri - - tier2 -ms.subservice: itpro-deploy -ms.date: 01/29/2025 -appliesto: - - ✅ Windows 11 - - ✅ Windows 10 ---- - -# Windows upgrade log files - -> [!NOTE] -> -> This article is a 400-level article (advanced). -> -> See [Resolve Windows upgrade errors](resolve-windows-upgrade-errors.md) for a full list of articles in this section. - -Several log files are created during each phase of the upgrade process. These log files are essential for troubleshooting upgrade problems. By default, the folders that contain these log files are hidden on the upgrade target computer. To view the log files, configure Windows Explorer to view hidden items, or use a tool to automatically gather these logs. The most useful log is **setupact.log**. The log files are located in a different folder depending on the Windows Setup phase. Recall that the phase can be determined from the extend code. - -> [!NOTE] -> -> Also see the [Windows Error Reporting](windows-error-reporting.md) article in this section for help with locating error codes and log files. - -The following table describes some log files and how to use them for troubleshooting purposes: - -|Log file |Phase: Location |Description |When to use| -|---|---|---|---| -|**setupact.log**|Down-Level:
    $Windows.~BT\Sources\Panther|Contains information about setup actions during the downlevel phase. |All down-level failures and starting point for rollback investigations.
    Setup.act is the most important log for diagnosing setup issues.| -|**setupact.log**|OOBE:
    $Windows.~BT\Sources\Panther\UnattendGC|Contains information about actions during the OOBE phase.|Investigating rollbacks that failed during OOBE phase and operations - 0x4001C, 0x4001D, 0x4001E, 0x4001F.| -|**setupact.log**|Rollback:
    $Windows.~BT\Sources\Rollback|Contains information about actions during rollback.|Investigating generic rollbacks - 0xC1900101.| -|**setupact.log**|Pre-initialization (prior to downlevel):
    Windows|Contains information about initializing setup.|If setup fails to launch.| -|**setupact.log**|Post-upgrade (after OOBE):
    Windows\Panther|Contains information about setup actions during the installation.|Investigate post-upgrade related issues.| -|**setuperr.log**|Same as setupact.log|Contains information about setup errors during the installation.|Review all errors encountered during the installation phase.| -|**miglog.xml**|Post-upgrade (after OOBE):
    Windows\Panther|Contains information about what was migrated during the installation.|Identify post upgrade data migration issues.| -|**BlueBox.log**|Down-Level:
    Windows\Logs\Mosetup|Contains information communication between `setup.exe` and Windows Update.|Use during WSUS and Windows Update down-level failures or for 0xC1900107.| -|Supplemental rollback logs:
    **Setupmem.dmp**
    **setupapi.dev.log**
    Event logs (*.evtx)|$Windows.~BT\Sources\Rollback|Additional logs collected during rollback.|Setupmem.dmp: If OS bug checks during upgrade, setup attempts to extract a mini-dump.
    Setupapi: Device install issues - 0x30018
    Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.| - -## Log entry structure - -A `setupact.log` or `setuperr.log` entry includes the following elements: - -1. **The date and time** - 2023-09-08 09:20:05 - -2. **The log level** - Info, Warning, Error, Fatal Error - -3. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS - - The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are useful for troubleshooting Windows Setup errors. - -4. **The message** - Operation completed successfully. - -See the following example: - -| Date/Time | Log level | Component | Message | -|------|------------|------------|------------| -|2023-09-08 09:23:50,| Warning | MIG | Couldn't replace object C:\Users\name\Cookies. Target Object can't be removed.| - -## Analyze log files - -The following instructions are meant for IT professionals. Also see the [Upgrade error codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json) section in this guide to become familiar with [result codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes) and [extend codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes). - -To analyze Windows Setup log files: - -1. Determine the Windows Setup error code. Windows Setup should return an error code if it isn't successful with the upgrade process. - -1. Based on the [extend code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes) portion of the error code, determine the type and location of a log file to investigate. - -1. Open the log file in a text editor, such as notepad. - -1. Using the [result code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes) portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below. - -1. To find the last occurrence of the result code: - - 1. Scroll to the bottom of the file and select after the last character. - 1. Select **Edit**. - 1. Select **Find**. - 1. Type the result code. - 1. Under **Direction** select **Up**. - 1. Select **Find Next**. - -1. When the last occurrence of the result code is located, scroll up a few lines from this location in the file and review the processes that failed prior to generating the result code. - -1. Search for the following important text strings: - - - `Shell application requested abort` - - `Abandoning apply due to error for object` - -1. Decode Win32 errors that appear in this section. - -1. Write down the timestamp for the observed errors in this section. - -1. Search other log files for additional information matching these timestamps or errors. - -For example, assume that the error code for an error is **0x8007042B - 0x2000D**. Searching for **8007042B** reveals the following content from the `setuperr.log` file: - -> [!NOTE] -> -> Some lines in the following text are shortened to enhance readability. For example -> -> - The date and time at the start of each line (ex: 2023-10-05 15:27:08) is shortened to minutes and seconds -> - The certificate file name, which is a long text string, is shortened to just "CN." - -**setuperr.log** content: - -```console -27:08, Error SP Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570] -27:08, Error MIG Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570] -27:08, Error Gather failed. Last error: 0x00000000 -27:08, Error SP SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C -27:09, Error SP CMigrateFramework: Gather framework failed. Status: 44 -27:09, Error SP Operation failed: Migrate framework (Full). Error: 0x8007042B[gle=0x000000b7] -27:09, Error SP Operation execution failed: 13. hr = 0x8007042B[gle=0x000000b7] -27:09, Error SP CSetupPlatformPrivate::Execute: Execution of operations queue failed, abandoning. Error: 0x8007042B[gle=0x000000b7] -``` - -The first line indicates there was an error **0x00000570** with the file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]**: - -```console -27:08, Error SP Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570] -``` - -The error **0x00000570** is a [Win32 error code](/openspecs/windows_protocols/ms-erref/18d8fbe8-a967-4f1c-ae50-99ca8e491d2d) corresponding to: **ERROR_FILE_CORRUPT: The file or directory is corrupted and unreadable**. - -Therefore, Windows Setup failed because it wasn't able to migrate the corrupt file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]**. This file is a local system certificate and can be safely deleted. After the `setupact.log` file is searched for more details, the phrase **Shell application requested abort** is found in a location with the same timestamp as the lines in `setuperr.log`. This analysis confirms the suspicion that this file is the cause of the upgrade failure: - -**setupact.log** content: - -```console -27:00, Info Gather started at 10/5/2023 23:27:00 -27:00, Info [0x080489] MIG Setting system object filter context (System) -27:00, Info [0x0803e5] MIG Not unmapping HKCU\Software\Classes; it is not mapped -27:00, Info [0x0803e5] MIG Not unmapping HKCU; it is not mapped -27:00, Info SP ExecuteProgress: Elapsed events:1 of 4, Percent: 12 -27:00, Info [0x0802c6] MIG Processing GATHER for migration unit: <System>\UpgradeFramework (CMXEAgent) -27:08, Error SP Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570] -27:08, Error MIG Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570] -27:08, Info SP ExecuteProgress: Elapsed events:2 of 4, Percent: 25 -27:08, Info SP ExecuteProgress: Elapsed events:3 of 4, Percent: 37 -27:08, Info [0x080489] MIG Setting system object filter context (System) -27:08, Info [0x0803e5] MIG Not unmapping HKCU\Software\Classes; it is not mapped -27:08, Info [0x0803e5] MIG Not unmapping HKCU; it is not mapped -27:08, Info MIG COutOfProcPluginFactory::FreeSurrogateHost: Shutdown in progress. -27:08, Info MIG COutOfProcPluginFactory::LaunchSurrogateHost::CommandLine: -shortened- -27:08, Info MIG COutOfProcPluginFactory::LaunchSurrogateHost: Successfully launched host and got control object. -27:08, Error Gather failed. Last error: 0x00000000 -27:08, Info Gather ended at 10/5/2023 23:27:08 with result 44 -27:08, Info Leaving MigGather method -27:08, Error SP SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C -``` - -**setupapi.dev.log** content: - -```console ->>> [Device Install (UpdateDriverForPlugAndPlayDevices) - PCI\VEN_8086&DEV_8C4F] ->>> Section start 2023/09/26 20:13:01.623 - cmd: rundll32.exe "C:\WINDOWS\Installer\MSI6E4C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_95972906 484 ChipsetWiX.CustomAction!Intel.Deployment.ChipsetWiX.CustomActions.InstallDrivers - ndv: INF path: C:\WINDOWS\TEMP\{15B1CD41-69F5-48EA-9F45-0560A40FE2D8}\Drivers\lynxpoint\LynxPointSystem.inf - ndv: Install flags: 0x00000000 - ndv: {Update Device Driver - PCI\VEN_8086&DEV_8C4F&SUBSYS_05BE1028&REV_04\3&11583659&0&F8} - ndv: Search options: 0x00000081 - ndv: Searching single INF 'C:\WINDOWS\TEMP\{15B1CD41-69F5-48EA-9F45-0560A40FE2D8}\Drivers\lynxpoint\LynxPointSystem.inf' - dvi: {Build Driver List} 20:13:01.643 - dvi: Searching for hardware ID(s): - dvi: pci\ven_8086&dev_8c4f&subsys_05be1028&rev_04 - dvi: pci\ven_8086&dev_8c4f&subsys_05be1028 - dvi: pci\ven_8086&dev_8c4f&cc_060100 - dvi: pci\ven_8086&dev_8c4f&cc_0601 - dvi: Searching for compatible ID(s): - dvi: pci\ven_8086&dev_8c4f&rev_04 - dvi: pci\ven_8086&dev_8c4f - dvi: pci\ven_8086&cc_060100 - dvi: pci\ven_8086&cc_0601 - dvi: pci\ven_8086 - dvi: pci\cc_060100 - dvi: pci\cc_0601 - sig: {_VERIFY_FILE_SIGNATURE} 20:13:01.667 - sig: Key = lynxpointsystem.inf - sig: FilePath = c:\windows\temp\{15b1cd41-69f5-48ea-9f45-0560a40fe2d8}\drivers\lynxpoint\lynxpointsystem.inf - sig: Catalog = c:\windows\temp\{15b1cd41-69f5-48ea-9f45-0560a40fe2d8}\drivers\lynxpoint\LynxPoint.cat - sig: Success: File is signed in catalog. - sig: {_VERIFY_FILE_SIGNATURE exit(0x00000000)} 20:13:01.683 - dvi: Created Driver Node: - dvi: HardwareID - PCI\VEN_8086&DEV_8C4F - dvi: InfName - c:\windows\temp\{15b1cd41-69f5-48ea-9f45-0560a40fe2d8}\drivers\lynxpoint\lynxpointsystem.inf - dvi: DevDesc - Intel(R) QM87 LPC Controller - 8C4F - dvi: Section - Needs_ISAPNP_DRV - dvi: Rank - 0x00ff2001 - dvi: Signer Score - WHQL - dvi: DrvDate - 04/04/2016 - dvi: Version - 10.1.1.18 - dvi: {Build Driver List - exit(0x00000000)} 20:13:01.699 - ndv: Searching currently installed INF - dvi: {Build Driver List} 20:13:01.699 - dvi: Searching for hardware ID(s): - dvi: pci\ven_8086&dev_8c4f&subsys_05be1028&rev_04 - dvi: pci\ven_8086&dev_8c4f&subsys_05be1028 - dvi: pci\ven_8086&dev_8c4f&cc_060100 - dvi: pci\ven_8086&dev_8c4f&cc_0601 - dvi: Searching for compatible ID(s): - dvi: pci\ven_8086&dev_8c4f&rev_04 - dvi: pci\ven_8086&dev_8c4f - dvi: pci\ven_8086&cc_060100 - dvi: pci\ven_8086&cc_0601 - dvi: pci\ven_8086 - dvi: pci\cc_060100 - dvi: pci\cc_0601 - dvi: Created Driver Node: - dvi: HardwareID - PCI\VEN_8086&DEV_8C4F - dvi: InfName - C:\WINDOWS\System32\DriverStore\FileRepository\lynxpointsystem.inf_amd64_cd1e518d883ecdfe\lynxpointsystem.inf - dvi: DevDesc - Intel(R) QM87 LPC Controller - 8C4F - dvi: Section - Needs_ISAPNP_DRV - dvi: Rank - 0x00ff2001 - dvi: Signer Score - WHQL - dvi: DrvDate - 10/03/2016 - dvi: Version - 10.1.1.38 - dvi: {Build Driver List - exit(0x00000000)} 20:13:01.731 - dvi: {DIF_SELECTBESTCOMPATDRV} 20:13:01.731 - dvi: Default installer: Enter 20:13:01.735 - dvi: {Select Best Driver} - dvi: Class GUID of device changed to: {4d36e97d-e325-11ce-bfc1-08002be10318}. - dvi: Selected Driver: - dvi: Description - Intel(R) QM87 LPC Controller - 8C4F - dvi: InfFile - c:\windows\system32\driverstore\filerepository\lynxpointsystem.inf_amd64_cd1e518d883ecdfe\lynxpointsystem.inf - dvi: Section - Needs_ISAPNP_DRV - dvi: {Select Best Driver - exit(0x00000000)} - dvi: Default installer: Exit - dvi: {DIF_SELECTBESTCOMPATDRV - exit(0x00000000)} 20:13:01.743 - ndv: Currently Installed Driver: - ndv: Inf Name - oem1.inf - ndv: Driver Date - 10/03/2016 - ndv: Driver Version - 10.1.1.38 - ndv: {Update Device Driver - exit(00000103)} -! ndv: No better matching drivers found for device 'PCI\VEN_8086&DEV_8C4F&SUBSYS_05BE1028&REV_04\3&11583659&0&F8'. -! ndv: No devices were updated. -<<< Section end 2019/09/26 20:13:01.759 -<<< [Exit status: FAILURE(0xC1900101)] -``` - -This analysis indicates that the Windows upgrade error can be resolved by deleting the `C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]` file. - -> [!NOTE] -> -> In this example, the full file name is `C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\be8228fb2d3cb6c6b0ccd9ad51b320b4_a43d512c-69f2-42de-aef9-7a88fabdaa3f`. - -## Related articles - -- [Fix Windows Update errors by using the DISM or System Update Readiness tool](/troubleshoot/windows-server/deployment/fix-windows-update-errors). +--- +title: Log files and resolving upgrade errors +description: Learn how to interpret and analyze the log files that are generated during the Windows upgrade process. +ms.service: windows-client +author: frankroj +manager: aaroncz +ms.author: frankroj +ms.localizationpriority: medium +ms.topic: troubleshooting +ms.collection: + - highpri + - tier2 +ms.subservice: itpro-deploy +ms.date: 04/08/2025 +appliesto: + - ✅ Windows 11 + - ✅ Windows 10 +--- + +# Windows upgrade log files + +> [!NOTE] +> +> This article is a 400-level article (advanced). +> +> See [Resolve Windows upgrade errors](resolve-windows-upgrade-errors.md) for a full list of articles in this section. + +Several log files are created during each phase of the upgrade process. These log files are essential for troubleshooting upgrade problems. By default, the folders that contain these log files are hidden on the upgrade target computer. To view the log files, configure Windows Explorer to view hidden items, or use a tool to automatically gather these logs. The most useful log is **setupact.log**. The log files are located in a different folder depending on the Windows Setup phase. Recall that the phase can be determined from the [extend code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes). + +> [!NOTE] +> +> Also see the [Windows Error Reporting](windows-error-reporting.md) article in this section for help with locating error codes and log files. + +The following table describes some log files and how to use them for troubleshooting purposes: + +|Log file |Phase: Location |Description |When to use| +|---|---|---|---| +|**setupact.log**|Down-Level:
    $Windows.~BT\Sources\Panther|Contains information about setup actions during the downlevel phase. |All downlevel failures and starting point for rollback investigations.
    Setup.act is the most important log for diagnosing setup issues.| +|**setupact.log**|Out of box experience (OOBE):
    $Windows.~BT\Sources\Panther\UnattendGC|Contains information about actions during the OOBE phase.|Investigating rollbacks that failed during OOBE phase and operations - 0x4001C, 0x4001D, 0x4001E, 0x4001F.| +|**setupact.log**|Rollback:
    $Windows.~BT\Sources\Rollback|Contains information about actions during rollback.|Investigating generic rollbacks - 0xC1900101.| +|**setupact.log**|Pre-initialization (before downlevel):
    Windows|Contains information about initializing setup.|If setup fails to launch.| +|**setupact.log**|Post-upgrade (after OOBE):
    Windows\Panther|Contains information about setup actions during the installation.|Investigate post-upgrade related issues.| +|**setuperr.log**|Same as setupact.log|Contains information about setup errors during the installation.|Review all errors encountered during the installation phase.| +|**miglog.xml**|Post-upgrade (after OOBE):
    Windows\Panther|Contains information about what was migrated during the installation.|Identify post upgrade data migration issues.| +|**BlueBox.log**|Down-Level:
    Windows\Logs\Mosetup|Contains information communication between `setup.exe` and Windows Update.|Use during WSUS and Windows Update downlevel failures or for 0xC1900107.| +|Supplemental rollback logs:
    **Setupmem.dmp**
    **setupapi.dev.log**
    Event logs (*.evtx)|$Windows.~BT\Sources\Rollback|Additional logs collected during rollback.|Setupmem.dmp: If OS bug checks during upgrade, setup attempts to extract a mini-dump.
    Setupapi: Device install issues - 0x30018
    Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.| + +## Log entry structure + +A `setupact.log` or `setuperr.log` entry includes the following elements: + +1. **The date and time** - 2023-09-08 09:20:05 + +1. **The log level** - Info, Warning, Error, Fatal Error + +1. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS + + The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are useful for troubleshooting Windows Setup errors. + +1. **The message** - Operation completed successfully. + +See the following example: + +| Date/Time | Log level | Component | Message | +|------|------------|------------|------------| +|2023-09-08 09:23:50,| Warning | MIG | Couldn't replace object C:\Users\name\Cookies. Target Object can't be removed.| + +## Analyze log files + +The following instructions are meant for IT professionals. To become more familiar with [result codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes) and [extend codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes), see the article [Upgrade error codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json). + +To analyze Windows Setup log files: + +1. Determine the Windows Setup error code. Windows Setup should return an error code if it isn't successful with the upgrade process. + +1. Based on the [extend code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes) portion of the error code, determine the type and location of a log file to investigate. + +1. Open the log file in a text editor, such as Notepad. + +1. Using the [result code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes) portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below. + +1. To find the last occurrence of the result code: + + 1. Scroll to the bottom of the file and select after the last character. + 1. Select **Edit**. + 1. Select **Find**. + 1. Type the result code. + 1. Under **Direction** select **Up**. + 1. Select **Find Next**. + +1. When the last occurrence of the result code is located, scroll up a few lines from this location in the file and review the processes that failed before generating the result code. + +1. Search for the following important text strings: + + - `Shell application requested abort` + - `Abandoning apply due to error for object` + +1. Decode Win32 errors that appear in this section. + +1. Write down the timestamp for the observed errors in this section. + +1. Search other log files for additional information matching these timestamps or errors. + +For example, assume that the error code for an error is **0x8007042B - 0x2000D**. Searching for **8007042B** reveals the following content from the `setuperr.log` file: + +> [!NOTE] +> +> Some lines in the following text are shortened to enhance readability. For example +> +> - The date and time at the start of each line (ex: 2023-10-05 15:27:08) is shortened to minutes and seconds +> - The certificate file name, which is a long text string, is shortened to just "CN." + +**setuperr.log** content: + +```console +27:08, Error SP Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570] +27:08, Error MIG Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570] +27:08, Error Gather failed. Last error: 0x00000000 +27:08, Error SP SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C +27:09, Error SP CMigrateFramework: Gather framework failed. Status: 44 +27:09, Error SP Operation failed: Migrate framework (Full). Error: 0x8007042B[gle=0x000000b7] +27:09, Error SP Operation execution failed: 13. hr = 0x8007042B[gle=0x000000b7] +27:09, Error SP CSetupPlatformPrivate::Execute: Execution of operations queue failed, abandoning. Error: 0x8007042B[gle=0x000000b7] +``` + +The first line indicates there was an error **0x00000570** with the file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]**: + +```console +27:08, Error SP Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570] +``` + +The error **0x00000570** is a [Win32 error code](/openspecs/windows_protocols/ms-erref/18d8fbe8-a967-4f1c-ae50-99ca8e491d2d) corresponding to: **ERROR_FILE_CORRUPT: The file or directory is corrupted and unreadable**. + +Therefore, Windows Setup failed because it wasn't able to migrate the corrupt file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]**. This file is a local system certificate and can be safely deleted. After the `setupact.log` file is searched for more details, the phrase **Shell application requested abort** is found in a location with the same timestamp as the lines in `setuperr.log`. This analysis confirms the suspicion that this file is the cause of the upgrade failure: + +**setupact.log** content: + +```console +27:00, Info Gather started at 10/5/2023 23:27:00 +27:00, Info [0x080489] MIG Setting system object filter context (System) +27:00, Info [0x0803e5] MIG Not unmapping HKCU\Software\Classes; it is not mapped +27:00, Info [0x0803e5] MIG Not unmapping HKCU; it is not mapped +27:00, Info SP ExecuteProgress: Elapsed events:1 of 4, Percent: 12 +27:00, Info [0x0802c6] MIG Processing GATHER for migration unit: <System>\UpgradeFramework (CMXEAgent) +27:08, Error SP Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570] +27:08, Error MIG Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570] +27:08, Info SP ExecuteProgress: Elapsed events:2 of 4, Percent: 25 +27:08, Info SP ExecuteProgress: Elapsed events:3 of 4, Percent: 37 +27:08, Info [0x080489] MIG Setting system object filter context (System) +27:08, Info [0x0803e5] MIG Not unmapping HKCU\Software\Classes; it is not mapped +27:08, Info [0x0803e5] MIG Not unmapping HKCU; it is not mapped +27:08, Info MIG COutOfProcPluginFactory::FreeSurrogateHost: Shutdown in progress. +27:08, Info MIG COutOfProcPluginFactory::LaunchSurrogateHost::CommandLine: -shortened- +27:08, Info MIG COutOfProcPluginFactory::LaunchSurrogateHost: Successfully launched host and got control object. +27:08, Error Gather failed. Last error: 0x00000000 +27:08, Info Gather ended at 10/5/2023 23:27:08 with result 44 +27:08, Info Leaving MigGather method +27:08, Error SP SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C +``` + +**setupapi.dev.log** content: + +```console +>>> [Device Install (UpdateDriverForPlugAndPlayDevices) - PCI\VEN_8086&DEV_8C4F] +>>> Section start 2023/09/26 20:13:01.623 + cmd: rundll32.exe "C:\WINDOWS\Installer\MSI6E4C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_95972906 484 ChipsetWiX.CustomAction!Intel.Deployment.ChipsetWiX.CustomActions.InstallDrivers + ndv: INF path: C:\WINDOWS\TEMP\{15B1CD41-69F5-48EA-9F45-0560A40FE2D8}\Drivers\lynxpoint\LynxPointSystem.inf + ndv: Install flags: 0x00000000 + ndv: {Update Device Driver - PCI\VEN_8086&DEV_8C4F&SUBSYS_05BE1028&REV_04\3&11583659&0&F8} + ndv: Search options: 0x00000081 + ndv: Searching single INF 'C:\WINDOWS\TEMP\{15B1CD41-69F5-48EA-9F45-0560A40FE2D8}\Drivers\lynxpoint\LynxPointSystem.inf' + dvi: {Build Driver List} 20:13:01.643 + dvi: Searching for hardware ID(s): + dvi: pci\ven_8086&dev_8c4f&subsys_05be1028&rev_04 + dvi: pci\ven_8086&dev_8c4f&subsys_05be1028 + dvi: pci\ven_8086&dev_8c4f&cc_060100 + dvi: pci\ven_8086&dev_8c4f&cc_0601 + dvi: Searching for compatible ID(s): + dvi: pci\ven_8086&dev_8c4f&rev_04 + dvi: pci\ven_8086&dev_8c4f + dvi: pci\ven_8086&cc_060100 + dvi: pci\ven_8086&cc_0601 + dvi: pci\ven_8086 + dvi: pci\cc_060100 + dvi: pci\cc_0601 + sig: {_VERIFY_FILE_SIGNATURE} 20:13:01.667 + sig: Key = lynxpointsystem.inf + sig: FilePath = c:\windows\temp\{15b1cd41-69f5-48ea-9f45-0560a40fe2d8}\drivers\lynxpoint\lynxpointsystem.inf + sig: Catalog = c:\windows\temp\{15b1cd41-69f5-48ea-9f45-0560a40fe2d8}\drivers\lynxpoint\LynxPoint.cat + sig: Success: File is signed in catalog. + sig: {_VERIFY_FILE_SIGNATURE exit(0x00000000)} 20:13:01.683 + dvi: Created Driver Node: + dvi: HardwareID - PCI\VEN_8086&DEV_8C4F + dvi: InfName - c:\windows\temp\{15b1cd41-69f5-48ea-9f45-0560a40fe2d8}\drivers\lynxpoint\lynxpointsystem.inf + dvi: DevDesc - Intel(R) QM87 LPC Controller - 8C4F + dvi: Section - Needs_ISAPNP_DRV + dvi: Rank - 0x00ff2001 + dvi: Signer Score - WHQL + dvi: DrvDate - 04/04/2016 + dvi: Version - 10.1.1.18 + dvi: {Build Driver List - exit(0x00000000)} 20:13:01.699 + ndv: Searching currently installed INF + dvi: {Build Driver List} 20:13:01.699 + dvi: Searching for hardware ID(s): + dvi: pci\ven_8086&dev_8c4f&subsys_05be1028&rev_04 + dvi: pci\ven_8086&dev_8c4f&subsys_05be1028 + dvi: pci\ven_8086&dev_8c4f&cc_060100 + dvi: pci\ven_8086&dev_8c4f&cc_0601 + dvi: Searching for compatible ID(s): + dvi: pci\ven_8086&dev_8c4f&rev_04 + dvi: pci\ven_8086&dev_8c4f + dvi: pci\ven_8086&cc_060100 + dvi: pci\ven_8086&cc_0601 + dvi: pci\ven_8086 + dvi: pci\cc_060100 + dvi: pci\cc_0601 + dvi: Created Driver Node: + dvi: HardwareID - PCI\VEN_8086&DEV_8C4F + dvi: InfName - C:\WINDOWS\System32\DriverStore\FileRepository\lynxpointsystem.inf_amd64_cd1e518d883ecdfe\lynxpointsystem.inf + dvi: DevDesc - Intel(R) QM87 LPC Controller - 8C4F + dvi: Section - Needs_ISAPNP_DRV + dvi: Rank - 0x00ff2001 + dvi: Signer Score - WHQL + dvi: DrvDate - 10/03/2016 + dvi: Version - 10.1.1.38 + dvi: {Build Driver List - exit(0x00000000)} 20:13:01.731 + dvi: {DIF_SELECTBESTCOMPATDRV} 20:13:01.731 + dvi: Default installer: Enter 20:13:01.735 + dvi: {Select Best Driver} + dvi: Class GUID of device changed to: {4d36e97d-e325-11ce-bfc1-08002be10318}. + dvi: Selected Driver: + dvi: Description - Intel(R) QM87 LPC Controller - 8C4F + dvi: InfFile - c:\windows\system32\driverstore\filerepository\lynxpointsystem.inf_amd64_cd1e518d883ecdfe\lynxpointsystem.inf + dvi: Section - Needs_ISAPNP_DRV + dvi: {Select Best Driver - exit(0x00000000)} + dvi: Default installer: Exit + dvi: {DIF_SELECTBESTCOMPATDRV - exit(0x00000000)} 20:13:01.743 + ndv: Currently Installed Driver: + ndv: Inf Name - oem1.inf + ndv: Driver Date - 10/03/2016 + ndv: Driver Version - 10.1.1.38 + ndv: {Update Device Driver - exit(00000103)} +! ndv: No better matching drivers found for device 'PCI\VEN_8086&DEV_8C4F&SUBSYS_05BE1028&REV_04\3&11583659&0&F8'. +! ndv: No devices were updated. +<<< Section end 2019/09/26 20:13:01.759 +<<< [Exit status: FAILURE(0xC1900101)] +``` + +This analysis indicates that the Windows upgrade error can be resolved by deleting the `C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]` file. + +> [!NOTE] +> +> In this example, the full file name is `C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\be8228fb2d3cb6c6b0ccd9ad51b320b4_a43d512c-69f2-42de-aef9-7a88fabdaa3f`. + +## Related articles + +- [Fix Windows Update errors by using the DISM or System Update Readiness tool](/troubleshoot/windows-server/deployment/fix-windows-update-errors). diff --git a/windows/deployment/upgrade/resolve-windows-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-upgrade-errors.md index 9ab18bdcfd..8b9ff49ed1 100644 --- a/windows/deployment/upgrade/resolve-windows-upgrade-errors.md +++ b/windows/deployment/upgrade/resolve-windows-upgrade-errors.md @@ -8,7 +8,7 @@ ms.localizationpriority: medium ms.topic: troubleshooting-general ms.service: windows-client ms.subservice: itpro-deploy -ms.date: 01/29/2025 +ms.date: 04/08/2025 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -35,22 +35,22 @@ The following four levels are assigned: See the following articles in this section: -- [Quick fixes](/troubleshoot/windows-client/deployment/windows-10-upgrade-quick-fixes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): \Level 100\ Steps to take to eliminate many Windows upgrade errors. -- [SetupDiag](setupdiag.md): \Level 300\ SetupDiag is a new tool to help isolate the root cause of an upgrade failure. -- [Troubleshooting upgrade errors](/troubleshoot/windows-client/deployment/windows-10-upgrade-issues-troubleshooting?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): \Level 300\ General advice and techniques for troubleshooting Windows upgrade errors, and an explanation of phases used during the upgrade process. -- [Windows Error Reporting](windows-error-reporting.md): \Level 300\ How to use Event Viewer to review details about a Windows upgrade. -- [Upgrade error codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): \Level 400\ The components of an error code are explained. +- [Quick fixes](/troubleshoot/windows-client/deployment/windows-10-upgrade-quick-fixes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): (Level 100) Steps to take to eliminate many Windows upgrade errors. +- [SetupDiag](setupdiag.md): (Level 300) SetupDiag is a new tool to help isolate the root cause of an upgrade failure. +- [Troubleshooting upgrade errors](/troubleshoot/windows-client/deployment/windows-10-upgrade-issues-troubleshooting?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): (Level 300) General advice and techniques for troubleshooting Windows upgrade errors, and an explanation of phases used during the upgrade process. +- [Windows Error Reporting](windows-error-reporting.md): (Level 300) How to use Event Viewer to review details about a Windows upgrade. +- [Upgrade error codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): (Level 400) The components of an error code are explained. - [Result codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes): Information about result codes. - [Extend codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes): Information about extend codes. -- [Log files](log-files.md): \Level 400\ A list and description of log files useful for troubleshooting. +- [Log files](log-files.md): (Level 400) A list and description of log files useful for troubleshooting. - [Log entry structure](log-files.md#log-entry-structure): The format of a log entry is described. - [Analyze log files](log-files.md#analyze-log-files): General procedures for log file analysis, and an example. -- [Resolution procedures](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): \Level 200\ Causes and mitigation procedures associated with specific error codes. +- [Resolution procedures](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): (Level 200) Causes and mitigation procedures associated with specific error codes. - [0xC1900101](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#0xc1900101): Information about the 0xC1900101 result code. - [0x800xxxxx](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#0x800xxxxx): Information about result codes that start with 0x800. - [Other result codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#other-result-codes): Additional causes and mitigation procedures are provided for some result codes. - [Other error codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#other-error-codes): Additional causes and mitigation procedures are provided for some error codes. -- [Submit Windows upgrade errors](submit-errors.md): \Level 100\ Submit upgrade errors to Microsoft for analysis. +- [Submit Windows upgrade errors](submit-errors.md): (Level 100) Submit upgrade errors to Microsoft for analysis. ## Related articles diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index 140ffb27b7..b082524620 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -12,7 +12,7 @@ ms.topic: troubleshooting ms.collection: - highpri - tier2 -ms.date: 03/27/2025 +ms.date: 04/08/2025 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -24,14 +24,15 @@ appliesto: > > This article is a 300 level article (moderate advanced). See [Resolve Windows upgrade errors](resolve-windows-upgrade-errors.md) for a full list of articles in this section. -> [!div class="nextstepaction"] -> [Download the latest version of SetupDiag](https://go.microsoft.com/fwlink/?linkid=870142) - ## About SetupDiag > [!IMPORTANT] > -> When SetupDiag is run manually, Microsoft recommends running the latest version of SetupDiag. The latest version is available via the following [download link](https://go.microsoft.com/fwlink/?linkid=870142). Running the latest version ensures the latest functionality and fixes known issues. +> When SetupDiag is run manually, Microsoft recommends running the latest version of SetupDiag. The latest version is available via the following link: +> +> [Download the latest version of SetupDiag](https://go.microsoft.com/fwlink/?linkid=870142) +> +> Running the latest version ensures the latest functionality and fixes known issues. SetupDiag is a diagnostic tool that can be used to obtain details about why a Windows upgrade was unsuccessful. @@ -39,14 +40,14 @@ SetupDiag works by examining Windows Setup log files. It attempts to parse these SetupDiag is included with [Windows Setup](/windows-hardware/manufacture/desktop/deployment-troubleshooting-and-log-files#windows-setup-scenario) in all currently supported versions of Windows. -During the upgrade process, Windows Setup extracts all its sources files, including **SetupDiag.exe**, to the **%SystemDrive%\$Windows.~bt\Sources** directory. If there's an issue with the upgrade, SetupDiag automatically runs to determine the cause of the failure. +During the upgrade process, Windows Setup extracts all its source files, including `SetupDiag.exe`, to the `%SystemDrive%\$Windows.~bt\Sources` directory. If there's an issue with the upgrade, SetupDiag automatically runs to determine the cause of the failure. When run by Windows Setup, the following [parameters](#parameters) are used: -- /ZipLogs:False -- /Format:xml -- /Output:%windir%\logs\SetupDiag\SetupDiagResults.xml -- /RegPath:HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupDiag\Results +- `/ZipLogs:False` +- `/Format:xml` +- `/Output:%windir%\logs\SetupDiag\SetupDiagResults.xml` +- `/RegPath:HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupDiag\Results` The resulting SetupDiag analysis can be found at `%WinDir%\Logs\SetupDiag\SetupDiagResults.xml` and in the registry under `HKLM\SYSTEM\Setup\SetupDiag\Results`. @@ -58,7 +59,11 @@ The resulting SetupDiag analysis can be found at `%WinDir%\Logs\SetupDiag\SetupD > > When SetupDiag indicates that there were multiple failures, the last failure in the log file is typically the fatal error, not the first one. -If the upgrade process proceeds normally, the **Sources** directory including **SetupDiag.exe** is moved under **%SystemDrive%\Windows.Old** for cleanup. If the **Windows.old** directory is deleted later, **SetupDiag.exe** is also removed. +If the upgrade process proceeds normally, the `Sources` directory including `SetupDiag.exe` is moved under `%SystemDrive%\Windows.Old` for cleanup. If the `Windows.old` directory is deleted later, `SetupDiag.exe` is also removed. + +> [!TIP] +> +> If `SetupDiag.exe` is needed after the `Windows.old` directory is deleted, it can be downloaded from the [Microsoft Download Center](https://go.microsoft.com/fwlink/?linkid=870142). ## Requirements @@ -81,50 +86,52 @@ If the upgrade process proceeds normally, the **Sources** directory including ** ## Using SetupDiag -To quickly use SetupDiag on the current computer: +To use SetupDiag: 1. Verify that the system meets the [requirements](#requirements). -1. [Download SetupDiag](https://go.microsoft.com/fwlink/?linkid=870142). +1. [Download](https://go.microsoft.com/fwlink/?linkid=870142) the latest version of SetupDiag. -1. If the web browser asks what to do with the file, choose **Save**. By default, the file is saved to the **Downloads** folder. If desired, the file can also be saved to a different location by using **Save As**. +1. If the web browser asks what to do with the file, choose **Save**. By default, the file is saved to the **Downloads** folder, which is displayed in File Explorer under **Quick access** in the left navigation pane. If desired, the file can also be saved to a different location by using **Save As**. -1. When SetupDiag finishes downloading, open the folder where the file was downloaded. By default, this folder is the **Downloads** folder, which is displayed in File Explorer under **Quick access** in the left navigation pane. +1. Once SetupDiag finishes downloading, open an elevated command prompt and navigate to the directory where `setupdiag.exe` was downloaded and saved to. -1. Double-click the **SetupDiag** file to run it. Select **Yes** if asked to approve running the program. +1. In the elevated command prompt, run `setupdiage.exe` in online mode using the desired parameters as documented in the [Parameters](#parameters) and [Examples](#examples) sections. - Double-clicking the file to run it automatically closes the command window when SetupDiag completes its analysis. To instead keep the window open to review the messages SetupDiag generates, run the program by typing **SetupDiag** at the command prompt instead of double-clicking it. When running from a command prompt, make sure to change directories to where SetupDiag is located. +1. Wait for SetupDiag to finish. -1. A command window opens while SetupDiag diagnoses the computer. Wait for this process to finish. - -1. When SetupDiag finishes, two files are created in the same folder where SetupDiag was run from. One is a configuration file, the other is a log file. +1. When SetupDiag finishes, two files are created in the same folder where SetupDiag was run from: + - A configuration file. + - A log file. 1. Use Notepad to open the log file **SetupDiagResults.log**. 1. Review the information that is displayed. If a rule was matched, this information can say why the computer failed to upgrade, and potentially how to fix the problem. See the section [Text log sample](#text-log-sample). -For instructions on how to run the tool in offline mode and with more advanced options, see the sections [Parameters](#parameters) and [Examples](#examples). +> [!TIP] +> +> For instructions on how to run the tool in offline mode in Windows PE, see the sections [Parameters](#parameters) and [Examples](#examples). ## Parameters | Parameter | Description | | --- | --- | -| **/?** | Displays interactive help | -| **/Output:\[Full path and file name for output log file\]** | This optional parameter specifies the name and location for the results log file. The output file contains the analysis from SetupDiag. Only text format output is supported. UNC paths work provided the context under which SetupDiag runs has access to the UNC path. If the path has a space in it, the entire path must be enclosed in double quotes (**"**). See the [Examples](#examples) sections for an example.

    Default: If not specified, SetupDiag creates the file **SetupDiagResults.log** in the same directory where **SetupDiag.exe** is run. | -| **/LogsPath:\[Full path to logs\]** | This optional parameter specifies the location of logs to parse and where to find the log files for an offline analysis. These log files can be in a flat folder format, or containing multiple subdirectories. SetupDiag recursively searches all child directories. Defaults to checking the current system for logs. | +| **/?** | Displays help information | +| **/Output:\[Full path and file name for output log file\]** | This optional parameter specifies the name and location for the results log file. The output file contains the analysis from SetupDiag. Only text format output is supported. UNC paths work provided the context under which SetupDiag runs has access to the UNC path. If the path has a space in it, the entire path must be enclosed in double quotes (**"**). See the [Examples](#examples) sections for an example.

    Default: If not specified, SetupDiag creates the file **SetupDiagResults.log** in the same directory where **SetupDiag.exe** is run. | +| **/LogsPath:\[Full path to logs\]** | This optional parameter specifies the location of logs to parse and where to find the log files for an offline analysis. These log files can be in a flat folder format, or containing multiple subdirectories. SetupDiag recursively searches all child directories. Defaults to checking the current system for logs. | | **/ZipLogs:\[True \| False\]** | This optional parameter Tells **SetupDiag.exe** to create a zip file containing the results and all the log files that were parsed. The zip file is created in the same directory where **SetupDiag.exe** is run.

    Default: If not specified, a value of 'true' is used. | -| **/Format:\[xml \| json\]** | This optional parameter specifies the output format for log files to be XML or JSON. If this parameter isn't specified, text format is used by default. | +| **/Format:\[xml \| json\]** | This optional parameter specifies the output format for log files to be XML or JSON. If this parameter isn't specified, text format is used by default. | | **/Scenario:\[Recovery \| Debug\]** | This optional parameter can do one of the following two items based on the argument used:

    • Recovery instructs **SetupDiag.exe** to look for and process reset and recovery logs and ignore setup/upgrade logs.
    • Debug instructs **SetupDiag.exe** to debug memory dumps if the requisite debug binaries are installed.
    | -| **/Verbose** | This optional parameter creates a diagnostic log in the current directory, with debugging information, additional data, and details about SetupDiag. By default, SetupDiag only produces a log file entry for major errors. Using **/Verbose** causes SetupDiag to always produce another log file with debugging details. These details can be useful when reporting a problem with SetupDiag. | +| **/Verbose** | This optional parameter creates a diagnostic log in the current directory, with debugging information, additional data, and details about SetupDiag. By default, SetupDiag only produces a log file entry for major errors. Using **/Verbose** causes SetupDiag to always produce another log file with debugging details. These details can be useful when reporting a problem with SetupDiag. | | **/NoTel** | This optional parameter tells **SetupDiag.exe** not to send diagnostic telemetry to Microsoft. | -| **/RegPath** | This optional parameter Instructs **SetupDiag.exe** to add failure information to the registry under the given path. Registry paths should start with **HKEY_LOCAL_MACHINE** or **HKEY_CURRENT_USER** and be accessible at the elevation level SetupDiag is executed under. If this parameter isn't specified, the default path is **HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag**. | -| **/AddReg** | This optional parameter Instructs **SetupDiag.exe** to add failure information to the registry on the executing system in offline mode. SetupDiag by default adds failure information to the registry in Online mode only. Registry data goes to **HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile\SetupDiag** unless otherwise specified. | +| **/RegPath** | This optional parameter Instructs **SetupDiag.exe** to add failure information to the registry under the given path. Registry paths should start with **HKEY_LOCAL_MACHINE** or **HKEY_CURRENT_USER** and be accessible at the elevation level SetupDiag is executed under. If this parameter isn't specified, the default path is `HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag`. | +| **/AddReg** | This optional parameter Instructs **SetupDiag.exe** to add failure information to the registry on the executing system in offline mode. SetupDiag by default adds failure information to the registry in Online mode only. Registry data goes to `HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile\SetupDiag` unless otherwise specified. | > [!NOTE] > > The **/Mode** parameter is deprecated in SetupDiag. > -> In previous versions, this command was used with the LogsPath parameter to specify that SetupDiag should run in an offline manner to analyze a set of log files that were captured from a different computer. In current versions of SetupDiag, when /LogsPath is specified then SetupDiag automatically runs in offline mode, therefore the /Mode parameter isn't needed. +> In previous versions, the **/Mode** parameter was used with the **/LogsPath** parameter in offline mode and would analyze a set of log files that were captured on a different computer. In current versions of SetupDiag, when **/LogsPath** is specified, then SetupDiag automatically runs in offline mode, therefore the **/Mode** parameter isn't needed. ### Examples @@ -132,13 +139,13 @@ For instructions on how to run the tool in offline mode and with more advanced o > > **SetupDiage.exe** should be run from an elevated command prompt for it to work properly. -- In the following example, SetupDiag is run without parameters and it displays interactive help. +- In the following example, SetupDiag is run without parameters and it displays help information. ```cmd SetupDiag.exe ``` -- In the following example, SetupDiag is run in online mode (this mode is the default). It knows where to look for logs on the current (failing) system, so there's no need to gather logs ahead of time. A custom location for results is specified. +- In the following example, SetupDiag is run in online mode (this mode is the default). It knows where to look for logs on the current (failing) system, so there's no need to gather logs ahead of time. A custom location for results is specified. ```cmd SetupDiag.exe /Output:C:\SetupDiag\Results.log @@ -156,13 +163,12 @@ For instructions on how to run the tool in offline mode and with more advanced o SetupDiag.exe /Output:C:\SetupDiag\Results.log /LogsPath:D:\Temp\Logs\LogSet1 ``` -- The following example sets recovery scenario in offline mode. In the example, SetupDiag searches for reset/recovery logs in the specified LogsPath location and output the results to the directory specified by the **/Output** parameter. +- The following is an example of Reset/Recovery Offline Mode. SetupDiag is instructed to look for reset/recovery logs in the specified LogsPath location. It then outputs the results to the directory specified by the **/Output** parameter. ```cmd SetupDiag.exe /Output:C:\SetupDiag\RecoveryResults.log /LogsPath:D:\Temp\Cabs\PBR_Log /Scenario:Recovery - ``` -- The following example sets recovery scenario in online mode. In the example, SetupDiag searches for reset/recovery logs on the current system and output results in XML format. +- The following example is an example of Reset/Recovery Online Mode. SetupDiag is instructed to look for reset/recovery logs on the current system and output its results in XML format. ```cmd SetupDiag.exe /Scenario:Recovery /Format:xml @@ -180,24 +186,6 @@ For instructions on how to run the tool in offline mode and with more advanced o SetupDiag.exe /Output:C:\SetupDiag\Results.xml /Format:xml ``` -- The following example is an example of Online Mode where no parameters are needed or used. SetupDiag is instructed to look for setup/upgrade logs on the current system and output the results to the same directory where SetupDiag is located. - - ```cmd - SetupDiag.exe - ``` - -- The following example is an example of Reset/Recovery Offline Mode. SetupDiag is instructed to look for reset/recovery logs in the specified LogsPath location. It then outputs the results to the directory specified by the **/Output** parameter. - - ```cmd - SetupDiag.exe /Output:C:\SetupDiag\RecoveryResults.log /LogsPath:D:\Temp\Cabs\PBR_Log /Scenario:Recovery - ``` - -- The following example is an example of Reset/Recovery Online Mode. SetupDiag is instructed to look for reset/recovery logs on the current system and output its results in XML format. - - ```cmd - SetupDiag.exe /Scenario:Recovery /Format:xml - ``` - ## Log files [Windows Setup Log Files and Event Logs](/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs) has information about where logs are created during Windows Setup. For offline processing, SetupDiag should be run against the contents of the entire folder. For example, depending on when the upgrade failed, copy one of the following folders to the offline location: @@ -225,7 +213,7 @@ To debug a setup-related bug check: - Install the [Windows Debugging Tools](/windows-hardware/drivers/debugger/debugger-download-tools) on the computer that runs SetupDiag. -In the following example, the `setupmem.dmp` file is copied to the `D:\Dump` directory and the Windows Debugging Tools are installed prior to running SetupDiag: +In the following example, the `setupmem.dmp` file is copied to the `D:\Dump` directory and the Windows Debugging Tools are installed before running SetupDiag: ```cmd SetupDiag.exe /Output:C:\SetupDiag\Dumpdebug.log /LogsPath:D:\Dump @@ -276,75 +264,75 @@ Logs ZipFile created at: c:\setupdiag\Logs_14.zip When SetupDiag searches log files, it uses a set of rules to match known issues. These rules are contained in an xml file. The xml file might be updated with new and updated rules as new versions of SetupDiag are made available. -Each rule name and its associated unique rule identifier are listed with a description of the known upgrade-blocking issue. In the rule descriptions, the term **down-level** refers to the first phase of the upgrade process, which runs under the original OS. +Each rule name and its associated unique rule identifier are listed with a description of the known upgrade-blocking issue. In the rule descriptions, the term **downlevel** refers to the first phase of the upgrade process, which runs under the original OS. | Rule Name | GUID | Description | | --- | --- | | **CompatScanOnly** | FFDAFD37-DB75-498A-A893-472D49A1311D | This rule indicates that `setup.exe` was called with a specific command line parameter that indicated setup was to do a compatibility scan only, not an upgrade. | | **PlugInComplianceBlock** | D912150B-1302-4860-91B5-527907D08960 | Detects all compatibility blocks from Server compliance plug-ins. This rule is for server upgrades only. It outputs the compliance block and remediation required. | | **BitLockerHardblock** | C30152E2-938E-44B8-915B-D1181BA635AE | This block is an upgrade block when the target OS doesn't support BitLocker, yet the host OS has BitLocker enabled. | -| **VHDHardblock** | D9ED1B82-4ED8-4DFD-8EC0-BE69048978CC | This block happens when the host OS is booted to a VHD image. Upgrade isn't supported when the host OS is booted from a VHD image. | -| **PortableWorkspaceHardblock** | 5B0D3AB4-212A-4CE4-BDB9-37CA404BB280 | This block indicates that the host OS is booted from a Windows To-Go device (USB key). Upgrade isn't supported in the Windows To-Go environment. | -| **AuditModeHardblock** | A03BD71B-487B-4ACA-83A0-735B0F3F1A90 | This block indicates that the host OS is currently booted into Audit Mode, a special mode for modifying the Windows state. Upgrade isn't supported from this state. | +| **VHDHardblock** | D9ED1B82-4ED8-4DFD-8EC0-BE69048978CC | This block happens when the host OS is booted to a VHD image. Upgrade isn't supported when the host OS is booted from a VHD image. | +| **PortableWorkspaceHardblock** | 5B0D3AB4-212A-4CE4-BDB9-37CA404BB280 | This block indicates that the host OS is booted from a Windows To-Go device (USB key. Upgrade isn't supported in the Windows To-Go environment. | +| **AuditModeHardblock** | A03BD71B-487B-4ACA-83A0-735B0F3F1A90 | This block indicates that the host OS is currently booted into Audit Mode, a special mode for modifying the Windows state. Upgrade isn't supported from this state. | | **SafeModeHardblock** | 404D9523-B7A8-4203-90AF-5FBB05B6579B | This block indicates that the host OS is booted to Safe Mode, where upgrade isn't supported. | | **InsufficientSystemPartitionDiskSpaceHardblock** | 3789FBF8-E177-437D-B1E3-D38B4C4269D1 | This block is encountered when setup determines the system partition doesn't have enough space to be serviced with the newer boot files required during the upgrade process. The system partition is where the boot loader files are stored | | **CompatBlockedApplicationAutoUninstall** | BEBA5BC6-6150-413E-8ACE-5E1EC8D34DD5 | This rule indicates there's an application that needs to be uninstalled before setup can continue. | -| **CompatBlockedApplicationDismissable** | EA52620B-E6A0-4BBC-882E-0686605736D9 | When setup is run in **/quiet** mode, there are dismissible application messages that turn into blocks unless the command line also specifies **/compat ignorewarning**. This rule indicates setup was executed in **/quiet** mode but there's an application dismissible block message that prevented setup from continuing. | -| **CompatBlockedFODDismissable** | 7B693C42-793E-4E9E-A10B-ED0F33D45E2A | When setup is run in **/quiet** mode, there are dismissible Feature On Demand messages that turn into blocks unless the command line also specifies **/compat ignorewarning**. This rule indicates setup was executed in **/quiet** mode but there's a Feature On Demand dismissible block message that prevented setup from continuing, usually that the target OS image is missing a Feature On Demand that is installed in the current OS. Removal of the Feature On Demand in the current OS should also resolve the issue. -| **CompatBlockedApplicationManualUninstall** | 9E912E5F-25A5-4FC0-BEC1-CA0EA5432FF4 | This rule indicates that an application without an Add/Remove Programs entry, is present on the system and blocking setup from continuing. This block typically requires manual removal of the files associated with this application to continue. | +| **CompatBlockedApplicationDismissable** | EA52620B-E6A0-4BBC-882E-0686605736D9 | When setup is run in **/quiet** mode, there are dismissible application messages that turn into blocks unless the command line also specifies **/compat ignorewarning**. This rule indicates setup was executed in **/quiet** mode but there's an application dismissible block message that prevented setup from continuing. | +| **CompatBlockedFODDismissable** | 7B693C42-793E-4E9E-A10B-ED0F33D45E2A | When setup is run in **/quiet** mode, there are dismissible Feature On Demand messages that turn into blocks unless the command line also specifies **/compat ignorewarning**. This rule indicates setup was executed in **/quiet** mode but there's a Feature On Demand dismissible block message that prevented setup from continuing, usually that the target OS image is missing a Feature On Demand that is installed in the current OS. Removal of the Feature On Demand in the current OS should also resolve the issue. +| **CompatBlockedApplicationManualUninstall** | 9E912E5F-25A5-4FC0-BEC1-CA0EA5432FF4 | This rule indicates that an application without an Add/Remove Programs entry, is present on the system and blocking setup from continuing. This block typically requires manual removal of the files associated with this application to continue. | | **GenericCompatBlock** | 511B9D95-C945-4F9B-BD63-98F1465E1CF6 | The rule indicates that system doesn't meet a hardware requirement for running Windows. For example, the device is missing a requirement for TPM 2.0. This issue can occur even when an attempt is made to bypass the hardware requirements. | | **GatedCompatBlock** | 34A9F145-3842-4A68-987F-4622EE0FC162 | This rule indicates that the upgrade failed due to a temporary block. A temporary block is put in place when an issue is found with a specific piece of software or hardware driver and the issue has a fix pending. The block is lifted once the fix is widely available. | -| **HardblockDeviceOrDriver** | ED3AEFA1-F3E2-4F33-8A21-184ADF215B1B | This error indicates a device driver that is loaded on the host OS isn't compatible with the newer OS version. The device driver needs to be removed prior to the upgrade. | +| **HardblockDeviceOrDriver** | ED3AEFA1-F3E2-4F33-8A21-184ADF215B1B | This error indicates a device driver that is loaded on the host OS isn't compatible with the newer OS version. The device driver needs to be removed before the upgrade. | | **HardblockMismatchedLanguage** | 60BA8449-CF23-4D92-A108-D6FCEFB95B45 | This rule indicates the host OS and the target OS language editions don't match. | -| **HardblockFlightSigning** | 598F2802-3E7F-4697-BD18-7A6371C8B2F8 | This rule indicates the target OS is a pre-release, Windows Insider build, and the target machine has Secure Boot enabled. This rule blocks the pre-release signed build from booting if installed on the machine. | -| **DiskSpaceBlockInDownLevel** | 6080AFAC-892E-4903-94EA-7A17E69E549E | This failure indicates the system ran out of disk space during the down-level operations of upgrade. | +| **HardblockFlightSigning** | 598F2802-3E7F-4697-BD18-7A6371C8B2F8 | This rule indicates the target OS is a pre-release, Windows Insider build, and the target machine has Secure Boot enabled. This rule blocks the pre-release signed build from booting if installed on the machine. | +| **DiskSpaceBlockInDownLevel** | 6080AFAC-892E-4903-94EA-7A17E69E549E | This failure indicates the system ran out of disk space during the downlevel operations of upgrade. | | **DiskSpaceFailure** | 981DCBA5-B8D0-4BA7-A8AB-4030F7A10191 | This failure indicates the system drive ran out of available disk space at some point after the first reboot into the upgrade. | | **PreReleaseWimMountDriverFound** | 31EC76CC-27EC-4ADC-9869-66AABEDB56F0 | Captures failures due to having an unrecognized `wimmount.sys` driver registered on the system. | -| **DebugSetupMemoryDump** | C7C63D8A-C5F6-4255-8031-74597773C3C6 | This offline only rule indicates a bug check occurred during setup. If the debugger tools are available on the system, SetupDiag debugs the memory dump and provide details. | -| **DebugSetupCrash** | CEEBA202-6F04-4BC3-84B8-7B99AED924B1 | This offline only rule indicates that setup itself encountered a failure that resulted in a process memory dump. If the debugger tools are installed on the system, SetupDiag debugs the memory dump and give further details. | -| **DebugMemoryDump** | 505ED489-329A-43F5-B467-FCAAF6A1264C | This offline only rule is for any memory.dmp file that resulted during the setup/upgrade operation. If the debugger tools are installed on the system, SetupDiag debugs the memory dump and give further details. | +| **DebugSetupMemoryDump** | C7C63D8A-C5F6-4255-8031-74597773C3C6 | This offline only rule indicates a bug check occurred during setup. If the debugger tools are available on the system, SetupDiag debugs the memory dump and provide details. | +| **DebugSetupCrash** | CEEBA202-6F04-4BC3-84B8-7B99AED924B1 | This offline only rule indicates that setup itself encountered a failure that resulted in a process memory dump. If the debugger tools are installed on the system, SetupDiag debugs the memory dump and give further details. | +| **DebugMemoryDump** | 505ED489-329A-43F5-B467-FCAAF6A1264C | This offline only rule is for any memory.dmp file that resulted during the setup/upgrade operation. If the debugger tools are installed on the system, SetupDiag debugs the memory dump and give further details. | | **DeviceInstallHang** | 37BB1C3A-4D79-40E8-A556-FDA126D40BC6 | This failure rule indicates the system hung or bug checked during the device installation phase of upgrade. | | **DriverPackageMissingFileFailure** | 37BB1C3A-4D79-40E8-A556-FDA126D40BC6 | This rule indicates that a driver package had a missing file during device install. Updating the driver package might help resolve the issue. | | **UnsignedDriverBootFailure** | CD270AA4-C044-4A22-886A-F34EF2E79469 | This rule indicates that an unsigned driver caused a boot failure. | -| **BootFailureDetected** | 4FB446C2-D4EC-40B4-97E2-67EB19D1CFB7 | This rule indicates a boot failure occurred during a specific phase of the update. The rule indicates the failure code and phase for diagnostic purposes. | +| **BootFailureDetected** | 4FB446C2-D4EC-40B4-97E2-67EB19D1CFB7 | This rule indicates a boot failure occurred during a specific phase of the update. The rule indicates the failure code and phase for diagnostic purposes. | | **WinSetupBootFilterFailure** | C073BFC8-5810-4E19-B53B-4280B79E096C | Detects failures in the kernel mode file operations. | | **FindDebugInfoFromRollbackLog** | 9600EB68-1120-4A87-9FE9-3A4A70ACFC37 | This rule determines and gives details when a bug check occurs during the setup/upgrade process that resulted in a memory dump. However, a debugger package isn't required on the executing machine. | -| **AdvancedInstallerFailed** | 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC | Finds fatal advanced installer operations that cause setup failures. Indicates critical failure in the AdvancedInstaller while running an installer package, includes the .exe being called, the phase, mode, component and error codes. | +| **AdvancedInstallerFailed** | 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC | Finds fatal advanced installer operations that cause setup failures. Indicates critical failure in the AdvancedInstaller while running an installer package, includes the .exe being called, the phase, mode, component, and error codes. | | **AdvancedInstallerPluginInstallFailed** | 2F784A0E-CEB1-47C5-8072-F1294C7CB4AE | This rule indicates some component that was being installed via an advanced installer (FeatureOnDemand, Language Packs, .NET packages, etc.) failed to install. The rule calls out what was being installed. If the failed component is a FeatureOnDemand, remove the Windows Feature, reboot, and try the upgrade again. If the failed component is a Language Pack, remove the additional language pack, reboot, and try the upgrade again. | -| **AdvancedInstallerGenericFailure** | 4019550D-4CAA-45B0-A222-349C48E86F71 | A rule to match AdvancedInstaller read/write failures in a generic sense. Triggers on advanced installer failures in a generic sense. It outputs the application called, phase, mode, component and error code. | -| **FindMigApplyUnitFailure** | A4232E11-4043-4A37-9BF4-5901C46FD781 | Detects a migration unit failure that caused the update to fail. This rule outputs the name of the migration plug-in and the error code it produced for diagnostic purposes. | -| **FindMigGatherUnitFailure** | D04C064B-CD77-4E64-96D6-D26F30B4EE29 | Detects a migration gather unit failure that caused the update to fail. This rule outputs the name of the gather unit/plug-in and the error code it produced for diagnostic purposes. | -| **FindMigGatherApplyFailure** | A9964E6C-A2A8-45FF-B6B5-25E0BD71428E | Shows errors when the migration Engine fails out on a gather or apply operation. Indicates the Migration Object (file or registry path), the Migration | -| **OptionalComponentFailedToGetOCsFromPackage** | D012E2A2-99D8-4A8C-BBB2-088B92083D78 | This rule matches a specific Optional Component failure when attempting to enumerate components in a package. Indicates the optional component (OC) migration operation failed to enumerate optional components from an OC Package. It outputs the package name and error code. This rule replaces the OptionalComponentInstallFailure rule present. | -| **OptionalComponentOpenPackageFailed** | 22952520-EC89-4FBD-94E0-B67DF88347F6 | Matches a specific Optional Component failure when attempting to open an OC package. It outputs the package name and error code. Indicates the optional component migration operation failed to open an optional component Package. Outputs the package name and error code. | -| **OptionalComponentInitCBSSessionFailed** | 63340812-9252-45F3-A0F2-B2A4CA5E9317 | Matches a specific failure where the advanced installer service or components aren't operating or started on the system. Indicates corruption in the servicing stack on the down-level system. Outputs the error code encountered while trying to initialize the servicing component on the existing OS. | -| **CriticalSafeOSDUFailure** | 73566DF2-CA26-4073-B34C-C9BC70DBF043 | This rule indicates a failure occurred while updating the SafeOS image with a critical dynamic update. It indicates the phase and error code that occurred while attempting to update the SafeOS image for diagnostic purposes. | -| **UserProfileCreationFailureDuringOnlineApply** | 678117CE-F6A9-40C5-BC9F-A22575C78B14 | Indicates there was a critical failure while creating or modifying a User Profile during the online apply phase of the update. It indicates the operation and error code associated with the failure for diagnostic purposes. | -| **UserProfileCreationFailureDuringFinalize** | C6677BA6-2E53-4A88-B528-336D15ED1A64 | Matches a specific User Profile creation error during the finalize phase of setup. It outputs the failure code. | +| **AdvancedInstallerGenericFailure** | 4019550D-4CAA-45B0-A222-349C48E86F71 | A rule to match AdvancedInstaller read/write failures in a generic sense. Triggers on advanced installer failures in a generic sense. It outputs the application called, phase, mode, component, and error code. | +| **FindMigApplyUnitFailure** | A4232E11-4043-4A37-9BF4-5901C46FD781 | Detects a migration unit failure that caused the update to fail. This rule outputs the name of the migration plug-in and the error code it produced for diagnostic purposes. | +| **FindMigGatherUnitFailure** | D04C064B-CD77-4E64-96D6-D26F30B4EE29 | Detects a migration gather unit failure that caused the update to fail. This rule outputs the name of the gather unit/plug-in and the error code it produced for diagnostic purposes. | +| **FindMigGatherApplyFailure** | A9964E6C-A2A8-45FF-B6B5-25E0BD71428E | Shows errors when the migration Engine fails out on a gather or apply operation. Indicates the Migration Object (file or registry path), the Migration | +| **OptionalComponentFailedToGetOCsFromPackage** | D012E2A2-99D8-4A8C-BBB2-088B92083D78 | This rule matches a specific Optional Component failure when attempting to enumerate components in a package. Indicates the optional component (OC) migration operation failed to enumerate optional components from an OC Package. It outputs the package name and error code. This rule replaces the OptionalComponentInstallFailure rule present. | +| **OptionalComponentOpenPackageFailed** | 22952520-EC89-4FBD-94E0-B67DF88347F6 | Matches a specific Optional Component failure when attempting to open an OC package. It outputs the package name and error code. Indicates the optional component migration operation failed to open an optional component Package. Outputs the package name and error code. | +| **OptionalComponentInitCBSSessionFailed** | 63340812-9252-45F3-A0F2-B2A4CA5E9317 | Matches a specific failure where the advanced installer service or components aren't operating or started on the system. Indicates corruption in the servicing stack on the downlevel system. Outputs the error code encountered while trying to initialize the servicing component on the existing OS. | +| **CriticalSafeOSDUFailure** | 73566DF2-CA26-4073-B34C-C9BC70DBF043 | This rule indicates a failure occurred while updating the SafeOS image with a critical dynamic update. It indicates the phase and error code that occurred while attempting to update the SafeOS image for diagnostic purposes. | +| **UserProfileCreationFailureDuringOnlineApply** | 678117CE-F6A9-40C5-BC9F-A22575C78B14 | Indicates there was a critical failure while creating or modifying a User Profile during the online apply phase of the update. It indicates the operation and error code associated with the failure for diagnostic purposes. | +| **UserProfileCreationFailureDuringFinalize** | C6677BA6-2E53-4A88-B528-336D15ED1A64 | Matches a specific User Profile creation error during the finalize phase of setup. It outputs the failure code. | | **UserProfileSuffixMismatch** | B4BBCCCE-F99D-43EB-9090-078213397FD8 | Detects when a file or other object causes the migration or creation of a user profile to fail during the update. | | **DuplicateUserProfileFailure** | BD7B3109-80F1-4421-8F0A-B34CD25F4B51 | This rule indicates a fatal error while migrating user profiles, usually with multiple SIDs associated with a single user profile. This error usually occurs when software creates local user accounts that aren't ever used or signed in with. The rule indicates the SID and UserName of the account that is causing the failure. To attempt to resolve the issue, first back up all the user's files for the affected user account. After the user's files are backed up, delete the account in a supported manner. Make sure that the account isn't one that is needed or is currently used to sign into the device. After deleting the account, reboot, and try the upgrade again. | -| **WimMountFailure** | BE6DF2F1-19A6-48C6-AEF8-D3B0CE3D4549 | This rule indicates the update failed to mount a WIM file. It shows the name of the WIM file and the error message and error code associated with the failure for diagnostic purposes. | +| **WimMountFailure** | BE6DF2F1-19A6-48C6-AEF8-D3B0CE3D4549 | This rule indicates the update failed to mount a WIM file. It shows the name of the WIM file and the error message and error code associated with the failure for diagnostic purposes. | | **WimMountDriverIssue** | 565B60DD-5403-4797-AE3E-BC5CB972FBAE | Detects failures in `WimMount.sys` registration on the system. | -| **WimApplyExtractFailure** | 746879E9-C9C5-488C-8D4B-0C811FF3A9A8 | Matches a WIM apply failure during WIM extraction phases of setup. It outputs the extension, path and error code. | -| **UpdateAgentExpanderFailure** | 66E496B3-7D19-47FA-B19B-4040B9FD17E2 | Matches DPX expander failures in the down-level phase of update from Windows Update. It outputs the package name, function, expression and error code. | -| **FindFatalPluginFailure** | E48E3F1C-26F6-4AFB-859B-BF637DA49636 | Matches any plug-in failure that setupplatform decides is fatal to setup. It outputs the plugin name, operation and error code. | -| **MigrationAbortedDueToPluginFailure** | D07A24F6-5B25-474E-B516-A730085940C9 | Indicates a critical failure in a migration plugin that causes setup to abort the migration. Provides the setup operation, plug-in name, plug-in action and error code. | -| **DISMAddPackageFailed** | 6196FF5B-E69E-4117-9EC6-9C1EAB20A3B9 | Indicates a critical failure during a DISM add package operation. Specifies the Package Name, DISM error and add package error code. | +| **WimApplyExtractFailure** | 746879E9-C9C5-488C-8D4B-0C811FF3A9A8 | Matches a WIM apply failure during WIM extraction phases of setup. It outputs the extension, path, and error code. | +| **UpdateAgentExpanderFailure** | 66E496B3-7D19-47FA-B19B-4040B9FD17E2 | Matches DPX expander failures in the downlevel phase of update from Windows Update. It outputs the package name, function, expression, and error code. | +| **FindFatalPluginFailure** | E48E3F1C-26F6-4AFB-859B-BF637DA49636 | Matches any plug-in failure that setupplatform decides is fatal to setup. It outputs the plugin name, operation, and error code. | +| **MigrationAbortedDueToPluginFailure** | D07A24F6-5B25-474E-B516-A730085940C9 | Indicates a critical failure in a migration plugin that causes setup to abort the migration. Provides the setup operation, plug-in name, plug-in action and error code. | +| **DISMAddPackageFailed** | 6196FF5B-E69E-4117-9EC6-9C1EAB20A3B9 | Indicates a critical failure during a DISM add package operation. Specifies the Package Name, DISM error and add package error code. | | **DISMImageSessionFailure** | 61B7886B-10CD-4C98-A299-B987CB24A11C | Captures failure information when DISM fails to start an image session successfully. | -| **DISMproviderFailure** | D76EF86F-B3F8-433F-9EBF-B4411F8141F4 | Triggers when a DISM provider (plug-in) fails in a critical operation. Outputs the file (plug-in name), function called + error code, and error message from the provider. | -| **SysPrepLaunchModuleFailure** | 7905655C-F295-45F7-8873-81D6F9149BFD | Indicates a sysPrep plug-in failed in a critical operation. Indicates the plug-in name, operation name and error code. | -| **UserProvidedDriverInjectionFailure** | 2247C48A-7EE3-4037-AFAB-95B92DE1D980 | A driver provided to setup (via command line input) failed in some way. Outputs the driver install function and error code. | +| **DISMproviderFailure** | D76EF86F-B3F8-433F-9EBF-B4411F8141F4 | Triggers when a DISM provider (plug-in) fails in a critical operation. Outputs the file (plug-in name), function called + error code, and error message from the provider. | +| **SysPrepLaunchModuleFailure** | 7905655C-F295-45F7-8873-81D6F9149BFD | Indicates a sysPrep plug-in failed in a critical operation. Indicates the plug-in name, operation name, and error code. | +| **UserProvidedDriverInjectionFailure** | 2247C48A-7EE3-4037-AFAB-95B92DE1D980 | A driver provided to setup (via command line input) failed in some way. Outputs the driver install function and error code. | | **DriverMigrationFailure** | 9378D9E2-256E-448C-B02F-137F611F5CE3 | This rule indicates a fatal failure when migrating drivers. | -| **UnknownDriverMigrationFailure** | D7541B80-5071-42CE-AD14-FBE8C0C4F7FD | This rule indicates a bad driver package resides on the system. The driver package causes the upgrade to fail when the driver package is attempted to migrate to the new OS. The rule usually indicates the driver package name that caused the issue. The remediation is to remove the bad driver package, reboot, and try the upgrade again. If an update to this driver is available from the OEM, updating the driver package is recommended. | +| **UnknownDriverMigrationFailure** | D7541B80-5071-42CE-AD14-FBE8C0C4F7FD | This rule indicates a bad driver package resides on the system. The driver package causes the upgrade to fail when the driver package is attempted to migrate to the new OS. The rule usually indicates the driver package name that caused the issue. The remediation is to remove the bad driver package, reboot, and try the upgrade again. If an update to this driver is available from the OEM, updating the driver package is recommended. | | | | | **FindSuccessfulUpgrade** | 8A0824C8-A56D-4C55-95A0-22751AB62F3E | Determines if the given setup was a success or not based off the logs. | | **FindSetupHostReportedFailure** | 6253C04F-2E4E-4F7A-B88E-95A69702F7EC | Gives information about failures surfaced early in the upgrade process by `setuphost.exe` | -| **FindDownlevelFailure** | 716334B7-F46A-4BAA-94F2-3E31BC9EFA55 | Gives failure information surfaced by SetupPlatform, later in the down-level phase. | -| **FindAbruptDownlevelFailure** | 55882B1A-DA3E-408A-9076-23B22A0472BD | Gives last operation failure information when the system fails in the down-level, but the log just ends abruptly. | -| **FindEarlyDownlevelError** | A4CE4FC9-5E10-4BB1-8ECE-3B29EB9D7C52 | Detects failures in down-level phase before setup platform is invoked. | +| **FindDownlevelFailure** | 716334B7-F46A-4BAA-94F2-3E31BC9EFA55 | Gives failure information surfaced by SetupPlatform, later in the downlevel phase. | +| **FindAbruptDownlevelFailure** | 55882B1A-DA3E-408A-9076-23B22A0472BD | Gives last operation failure information when the system fails in the downlevel, but the log just ends abruptly. | +| **FindEarlyDownlevelError** | A4CE4FC9-5E10-4BB1-8ECE-3B29EB9D7C52 | Detects failures in downlevel phase before setup platform is invoked. | | **FindSPFatalError** | A4028172-1B09-48F8-AD3B-86CDD7D55852 | Captures failure information when setup platform encounters a fatal error. | -| **FindSetupPlatformFailedOperationInfo** | 307A0133-F06B-4B75-AEA8-116C3B53C2D1 | Gives last phase and error information when SetupPlatform indicates a critical failure. This rule indicates the operation and error associated with the failure for diagnostic purposes. | -| **FindRollbackFailure** | 3A43C9B5-05B3-4F7C-A955-88F991BB5A48 | Gives last operation, failure phase and error information when a rollback occurs. | +| **FindSetupPlatformFailedOperationInfo** | 307A0133-F06B-4B75-AEA8-116C3B53C2D1 | Gives last phase and error information when SetupPlatform indicates a critical failure. This rule indicates the operation and error associated with the failure for diagnostic purposes. | +| **FindRollbackFailure** | 3A43C9B5-05B3-4F7C-A955-88F991BB5A48 | Gives last operation, failure phase, and error information when a rollback occurs. | ## Sample logs @@ -374,8 +362,8 @@ System Information: ReportId = dd4db176-4e3f-4451-aef6-22cf46de8bde Error: SetupDiag reports Optional Component installation failed to open OC Package. Package Name: Foundation, Error: 0x8007001F -Recommend you check the "Windows Modules Installer" service (Trusted Installer) is started on the system and set to automatic start, reboot and try the update again. Optionally, you can check the status of optional components on the system (search for Windows Features), uninstall any unneeded optional components, reboot and try the update again. -Error: SetupDiag reports down-level failure, Operation: Finalize, Error: 0x8007001F - 0x50015 +Recommend you check the "Windows Modules Installer" service (Trusted Installer) is started on the system and set to automatic start, reboot and try the update again. Optionally, you can check the status of optional components on the system (search for Windows Features), uninstall any unneeded optional components, reboot and try the update again. +Error: SetupDiag reports downlevel failure, Operation: Finalize, Error: 0x8007001F - 0x50015 Refer to https://learn.microsoft.com/windows/deployment/upgrade/upgrade-error-codes for error information. ``` diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md index fd90fdc246..f1fc97e892 100644 --- a/windows/deployment/upgrade/submit-errors.md +++ b/windows/deployment/upgrade/submit-errors.md @@ -2,13 +2,13 @@ title: Submit Windows upgrade errors using Feedback Hub manager: aaroncz ms.author: frankroj -description: Download the Feedback Hub app, and then submit Windows upgrade errors for diagnosis using feedback hub. +description: Download the Feedback Hub app, and then submit Windows upgrade errors for diagnosis using Feedback Hub. ms.service: windows-client author: frankroj ms.localizationpriority: medium ms.topic: troubleshooting-general ms.subservice: itpro-deploy -ms.date: 01/29/2025 +ms.date: 04/08/2025 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -28,17 +28,17 @@ This article describes how to submit problems with a Windows upgrade to Microsof The Feedback Hub app allows reporting to Microsoft of any problems encountered while using Windows. It also allows sending suggestions to Microsoft on how to improve the Windows experience. Previously, the Feedback Hub could only be used through the Windows Insider Program. Now anyone can use this tool. The Feedback Hub app can be downloaded from the [Microsoft Store](https://www.microsoft.com/store/p/feedback-hub/9nblggh4r32n?SilentAuth=1&wa=wsignin1.0). -The Feedback Hub requires a currently supported version of Windows. The Feedback Hub can be used to submit information to Microsoft if problems are encountered while upgrading Windows. If upgrading to a currently supported version of Windows from a previous version that's Windows 10 or newer, the Feedback Hub automatically collects log files. For operating systems prior to Windows 10 that don't support the Feedback Hub, the log files must be manually collected. The log files can then be attached to the feedback item using a device that is running a currently supported version of Windows that supports the Feedback Hub. +The Feedback Hub requires a [currently supported version of Windows](/windows/release-health/supported-versions-windows-client). The Feedback Hub can be used to submit information to Microsoft if problems are encountered while upgrading Windows. If upgrading between [currently supported version of Windows](/windows/release-health/supported-versions-windows-client), the Feedback Hub automatically collects log files. For out of support operating systems before Windows 10 that don't support the Feedback Hub, the log files must be manually collected. The log files can then be attached to the feedback item using a device that is running a [currently supported version of Windows](/windows/release-health/supported-versions-windows-client) that supports the Feedback Hub. ## Submit feedback To submit feedback about a failed Windows upgrade, open the [Feedback Hub](feedback-hub://?referrer=resolveUpgradeErrorsPage&tabid=2&contextid=81&newFeedback=true&feedbackType=2&topic=submit-errors.md). -In the Feedback Hub, fill out all four sections with as much detail as possible: +In the Feedback Hub, fill out all of the sections with as much detail as possible: 1. **Enter your feedback** 1. **Choose a category** -1. **Find similar feedback** +1. **Find similar feedback** - this section doesn't have anything to fill out, but it is important to check for similar feedback items. If a similar feedback item is found, select it and then select the **Next** button. This allows Microsoft to see how many people are affected by the same issue. 1. **Add more details** Recommended information that can be included under the **Add more details** section include: @@ -71,5 +71,3 @@ After the feedback is submitted, additional information and items can be added t 1. Copy and then use the short link that is displayed. :::image type="content" alt-text="Share example." source="../images/share.jpg"::: - -## Related articles diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md index 958dbd15ef..d2da8a5c3d 100644 --- a/windows/deployment/upgrade/windows-error-reporting.md +++ b/windows/deployment/upgrade/windows-error-reporting.md @@ -8,7 +8,7 @@ author: frankroj ms.localizationpriority: medium ms.topic: article ms.subservice: itpro-deploy -ms.date: 01/29/2025 +ms.date: 04/08/2025 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -22,7 +22,7 @@ appliesto: > > See [Resolve Windows upgrade errors](resolve-windows-upgrade-errors.md) for a full list of articles in this section. -When Windows Setup fails, the result and extend code are recorded as an informational event in the Application log by Windows Error Reporting as event 1001. The event name is **WinSetupDiag02**. Event Viewer or Windows PowerShell can be used to review this event. +When Windows Setup fails, the [result code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes) and [extend code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes) are recorded as an informational event in the Application log by Windows Error Reporting as event 1001. The event name is **WinSetupDiag02**. Event Viewer or Windows PowerShell can be used to review this event. To use Windows PowerShell, type the following commands from an elevated Windows PowerShell prompt: @@ -48,18 +48,18 @@ To use Event Viewer: Ten parameters are listed in the event: -| Parameters | -| ------------- | -| P1: The Setup Scenario (1=Media,5=WindowsUpdate,7=Media Creation Tool) | -| P2: Setup Mode (x=default,1=Downlevel,5=Rollback) | -| P3: New OS Architecture (x=default,0=X86,9=AMD64) | -| P4: Install Result (x=default,0=Success,1=Failure,2=Cancel,3=Blocked) | -| **P5: Result Error Code** (Ex: 0xc1900101) | -| **P6: Extend Error Code** (Ex: 0x20017) | -| P7: Source OS build (Ex: 9600) | -| P8: Source OS branch (not typically available) | -| P9: New OS build (Ex: 16299) | -| P10: New OS branch (Ex: rs3_release) | +| Parameters | Description| Example | +| ------------- | --- | --- | +| P1 | The Setup Scenario | 1=Media, 5=WindowsUpdate, 7=Media Creation Tool | +| P2 | Setup Mode | x=default, 1=Downlevel, 5=Rollback | +| P3 | New OS Architecture | x=default, 0=X86, 9=AMD64 | +| P4 | Install Result | x=default, 0=Success, 1=Failure,2=Cancel, 3=Blocked | +| **P5** | Result Error Code | 0xc1900101 | +| **P6** | Extend Error Code | 0x20017 | +| P7 | Source OS build | 9600 | +| P8 | Source OS branch | Not typically available | +| P9 | New OS build | 16299 | +| P10 | New OS branch | rs3_release | The event also contains links to log files that can be used to perform a detailed diagnosis of the error. The following example is an example of this event from a successful upgrade: diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md index ca0f26473f..e1d51e9ebd 100644 --- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md +++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md @@ -7,7 +7,10 @@ ms.service: windows-client author: frankroj ms.topic: upgrade-and-migration-article ms.subservice: itpro-deploy -ms.date: 08/30/2024 +ms.date: 04/08/2025 +appliesto: + - ✅ Windows 11 + - ✅ Windows 10 --- # Windows upgrade and migration considerations @@ -61,7 +64,7 @@ If a single-language Windows image that matches the system default UI language o ### Errorhandler.cmd -If using **Errorhandler.cmd** when upgrading from an earlier version of Windows, copy **Errorhandler.cmd** into the `%WINDIR%\Setup\Scripts` directory on the original installation of Windows. Copying **Errorhandler.cmd** into the `%WINDIR%\Setup\Scripts` directory on the original installation of Windows makes sure that if there are errors during the down-level phase of Windows Setup, the commands in **Errorhandler.cmd** run. For more information, see [Run a script if Windows Setup encounters a fatal error (ErrorHandler.cmd)](/windows-hardware/manufacture/desktop/add-a-custom-script-to-windows-setup#run-a-script-if-windowssetup-encounters-a-fatal-error-errorhandlercmd). +If using **Errorhandler.cmd** when upgrading from an earlier version of Windows, copy **Errorhandler.cmd** into the `%WINDIR%\Setup\Scripts` directory on the original installation of Windows. Copying **Errorhandler.cmd** into the `%WINDIR%\Setup\Scripts` directory on the original installation of Windows makes sure that if there are errors during the downlevel phase of Windows Setup, the commands in **Errorhandler.cmd** run. For more information, see [Run a script if Windows Setup encounters a fatal error (ErrorHandler.cmd)](/windows-hardware/manufacture/desktop/add-a-custom-script-to-windows-setup#run-a-script-if-windowssetup-encounters-a-fatal-error-errorhandlercmd). ## Related content diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md index a3eb3ff2fb..b52cda4040 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md @@ -1,7 +1,7 @@ --- title: Hotpatch updates description: Use Hotpatch updates to receive security updates without restarting your device -ms.date: 04/02/2025 +ms.date: 04/04/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -91,7 +91,7 @@ LCUs requires you to restart the device, but the LCU ensures that the device rem 1. Select **Devices** from the left navigation menu. 1. Under the **Manage updates** section, select **Windows updates**. 1. Go to the **Quality updates** tab. -1. Select **Create**, and select **Windows quality update policy (preview)**. +1. Select **Create**, and select **Windows quality update policy**. 1. Under the **Basics** section, enter a name for your new policy and select Next. 1. Under the **Settings** section, set **"When available, apply without restarting the device ("Hotpatch")** to **Allow**. Then, select **Next**. 1. Select the appropriate Scope tags or leave as Default and select **Next**. diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md index e8c49abfe2..fa37013aee 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md @@ -1,7 +1,7 @@ --- title: Hotpatch quality update report description: Use the Hotpatch quality update report to view the current update statuses for all devices that receive Hotpatch updates -ms.date: 03/31/2025 +ms.date: 04/04/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -15,10 +15,7 @@ ms.collection: - tier1 --- -# Hotpatch quality update report (public preview) - -> [!IMPORTANT] -> This feature is in public preview. It is being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback. +# Hotpatch quality update report The Hotpatch quality update report provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. For more information about Hotpatching, see [Hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md). @@ -27,7 +24,7 @@ The Hotpatch quality update report provides a per policy level view of the curre 1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Navigate to **Reports** > **Windows Autopatch** > **Windows quality updates**. 1. Select the **Reports** tab. -1. Select **Hotpatch quality updates (preview)**. +1. Select **Hotpatch quality updates**. > [!NOTE] > The data in this report is refreshed every four hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md#about-data-latency). diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md index 12fe65bda4..0c65908b37 100644 --- a/windows/security/identity-protection/access-control/access-control.md +++ b/windows/security/identity-protection/access-control/access-control.md @@ -1,6 +1,6 @@ --- -ms.date: 09/06/2024 -title: Access Control overview +ms.date: 04/07/2025 +title: Access Control Overview description: Learn about access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. ms.topic: overview appliesto: diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index 102e723645..9323170072 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -1,5 +1,5 @@ --- -ms.date: 09/06/2024 +ms.date: 04/07/2025 title: Local Accounts description: Learn how to secure and manage access to the resources on a standalone or member server for services or users. ms.topic: concept-article @@ -225,33 +225,33 @@ The following table shows the Group Policy and registry settings that are used t #### To enforce local account restrictions for remote access 1. Start the **Group Policy Management** Console (GPMC) -1. In the console tree, expand <*Forest*>\\Domains\\<*Domain*>, and then **Group Policy Objects** where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO) +1. In the console tree, expand <*Forest*>\Domains\<*Domain*>, and then **Group Policy Objects** where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO) 1. In the console tree, right-click **Group Policy Objects > New** -1. In the **New GPO** dialog box, type <**gpo\_name**>, and > **OK** where *gpo\_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer -1. In the details pane, right-click <**gpo\_name**>, and > **Edit** +1. In the **New GPO** dialog box, type <**gpo_name**>, and > **OK** where *gpo_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer +1. In the details pane, right-click <**gpo_name**>, and > **Edit** 1. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by following these steps: - - Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\, and > **Security Options** - - Double-click **User Account Control: Run all administrators in Admin Approval Mode** > **Enabled** > **OK** - - Double-click **User Account Control: Admin Approval Mode for the Built-in Administrator account** > **Enabled** > **OK** + - Navigate to the **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** + - Select **User Account Control: Run all administrators in Admin Approval Mode** > **Enabled** > **OK** + - Select **User Account Control: Admin Approval Mode for the Built-in Administrator account** > **Enabled** > **OK** 1. Ensure that the local account restrictions are applied to network interfaces by following these steps: - Navigate to *Computer Configuration\Preferences and Windows Settings*, and > **Registry** - - Right-click **Registry**, and > **New** > **Registry Item** + - Right-click **Registry**, and > **New** > **Registry Item** - In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace** - Ensure that the **Hive** box is set to **HKEY_LOCAL_MACHINE** - - Select (**…**), browse to the following location for **Key Path** > **Select** for: `SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System` + - Select (**…**), browse to the following location for **Key Path** > **Select** for: `SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System` - In the **Value name** area, type `LocalAccountTokenFilterPolicy` - In the **Value type** box, from the drop-down list, select **REG_DWORD** to change the value - In the **Value data** box, ensure that the value is set to **0** - - Verify this configuration, and > **OK** + - Verify this configuration, and > **OK** 1. Link the GPO to the first **Workstations** organizational unit (OU) by doing the following: - Navigate to the `*Forest*\\*Domain*\*OU*` path - Right-click the **Workstations > Link an existing GPO** - - Select the GPO that you created, and > **OK** + - Select the GPO that you created, and > **OK** 1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy 1. Create links to all other OUs that contain workstations @@ -278,23 +278,23 @@ The following table shows the Group Policy settings that are used to deny networ #### To deny network logon to all local administrator accounts 1. Start the **Group Policy Management** Console (GPMC) -1. In the console tree, expand <*Forest*>\\Domains\\<*Domain*>, and then **Group Policy Objects**, where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO) -1. In the console tree, right-click **Group Policy Objects**, and > **New** -1. In the **New GPO** dialog box, type <**gpo\_name**>, and then > **OK** where *gpo\_name* is the name of the new GPO indicates that it's being used to restrict the local administrative accounts from interactively signing in to the computer -1. In the details pane, right-click <**gpo\_name**>, and > **Edit** +1. In the console tree, expand <*Forest*>\Domains\<*Domain*>, and then **Group Policy Objects**, where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO) +1. In the console tree, right-click **Group Policy Objects**, and > **New** +1. In the **New GPO** dialog box, type <**gpo_name**>, and then > **OK** where *gpo_name* is the name of the new GPO indicates that it's being used to restrict the local administrative accounts from interactively signing in to the computer +1. In the details pane, right-click <**gpo_name**>, and > **Edit** 1. Configure the user rights to deny network logons for administrative local accounts as follows: -1. Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\, and > **User Rights Assignment** +1. Navigate to the Computer Configuration\Windows Settings\Security Settings\, and > **User Rights Assignment** 1. Double-click **Deny access to this computer from the network** -1. Select **Add User or Group**, type **Local account and member of Administrators group**, and > **OK** +1. Select **Add User or Group**, type **Local account and member of Administrators group**, and > **OK** 1. Configure the user rights to deny Remote Desktop (Remote Interactive) logons for administrative local accounts as follows: -1. Navigate to Computer Configuration\\Policies\\Windows Settings and Local Policies, and then select **User Rights Assignment** +1. Navigate to Computer Configuration\Policies\Windows Settings and Local Policies, and then select **User Rights Assignment** 1. Double-click **Deny log on through Remote Desktop Services** -1. Select **Add User or Group**, type **Local account and member of Administrators group**, and > **OK** +1. Select **Add User or Group**, type **Local account and member of Administrators group**, and > **OK** 1. Link the GPO to the first **Workstations** OU as follows: - - Navigate to the <*Forest*>\\Domains\\<*Domain*>\\OU path - - Right-click the **Workstations** OU, and > **Link an existing GPO** - - Select the GPO that you created, and > **OK** + - Navigate to the <*Forest*>\Domains\<*Domain*>\OU path + - Right-click the **Workstations** OU, and > **Link an existing GPO** + - Select the GPO that you created, and > **OK** 1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy 1. Create links to all other OUs that contain workstations diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md index 84a8a1ab89..2e5a9a8c07 100644 --- a/windows/security/identity-protection/credential-guard/configure.md +++ b/windows/security/identity-protection/credential-guard/configure.md @@ -212,7 +212,7 @@ The following event indicates whether TPM is used for key protection. Path: `App :::column-end::: :::row-end::: -If you're running with a TPM, the TPM PCR mask value is something other than 0. +The TPM PCR mask is only relevant when SRTM is used. If the cached Copy status is 1, SRTM was not used - typically indicating DRTM is in use - and the PCR mask should be ignored. ## Disable Credential Guard diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md index ebad860cb2..aef59bf2b1 100644 --- a/windows/security/identity-protection/passkeys/index.md +++ b/windows/security/identity-protection/passkeys/index.md @@ -1,10 +1,10 @@ --- -title: Support for passkeys in Windows +title: Support for Passkeys in Windows description: Learn about passkeys and how to use them on Windows devices. ms.collection: - tier1 ms.topic: overview -ms.date: 09/06/2024 +ms.date: 04/07/2025 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md index 8c0882c38c..5d48549c5c 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md @@ -2,7 +2,7 @@ title: Deploy Virtual Smart Cards description: Learn about what to consider when deploying a virtual smart card authentication solution ms.topic: concept-article -ms.date: 09/06/2024 +ms.date: 04/07/2025 --- # Deploy Virtual Smart Cards diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md index 3ee5766ed3..99ccd6d643 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md @@ -2,7 +2,7 @@ title: Evaluate Virtual Smart Card Security description: Learn about the security characteristics and considerations when deploying TPM virtual smart cards. ms.topic: concept-article -ms.date: 09/06/2024 +ms.date: 04/07/2025 --- # Evaluate Virtual Smart Card Security diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md index f9d707ff54..d4c5e6d5b9 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md @@ -2,7 +2,7 @@ title: Get Started with Virtual Smart Cards - Walkthrough Guide description: This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards. ms.topic: get-started -ms.date: 09/06/2024 +ms.date: 04/07/2025 --- # Get Started with Virtual Smart Cards: Walkthrough Guide diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md index 985c2fcf93..5cc635e4d2 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md @@ -2,7 +2,7 @@ title: Virtual Smart Card Overview description: Learn about virtual smart card technology for Windows. ms.topic: overview -ms.date: 09/06/2024 +ms.date: 04/07/2025 --- # Virtual Smart Card Overview diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md index 4204ca10f0..b908769c7e 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md @@ -2,7 +2,7 @@ title: Tpmvscmgr description: Learn about the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer. ms.topic: reference -ms.date: 09/06/2024 +ms.date: 04/07/2025 --- # Tpmvscmgr diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md index d1a28711ff..fc2fc88404 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md @@ -2,7 +2,7 @@ title: Understanding and Evaluating Virtual Smart Cards description: Learn how smart card technology can fit into your authentication design. ms.topic: overview -ms.date: 09/06/2024 +ms.date: 04/07/2025 --- # Understand and Evaluate Virtual Smart Cards diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md index de527ed1b0..66b7644792 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md @@ -2,7 +2,7 @@ title: Use Virtual Smart Cards description: Learn about the requirements for virtual smart cards, how to use and manage them. ms.topic: concept-article -ms.date: 09/06/2024 +ms.date: 04/07/2025 --- # Use Virtual Smart Cards diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-logging.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-logging.md index 1696c770a0..8d95c636d5 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-logging.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-logging.md @@ -2,7 +2,7 @@ title: Configure Windows Firewall logging description: Learn how to configure Windows Firewall to log dropped packets or successful connections with CSP and group policy. ms.topic: how-to -ms.date: 09/06/2024 +ms.date: 04/07/2025 --- # Configure Windows Firewall logging diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md index b332d7b87d..0222d06e64 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md @@ -1,8 +1,8 @@ --- -title: Manage Windows Firewall with the command line +title: Manage Windows Firewall With the Command Line description: Learn how to manage Windows Firewall from the command line. This guide provides examples how to manage Windows Firewall with PowerShell and Netsh. ms.topic: how-to -ms.date: 09/06/2024 +ms.date: 04/07/2025 --- # Manage Windows Firewall with the command line @@ -53,7 +53,7 @@ netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFile ### Disable Windows Firewall -Microsoft recommends that you don't disable Windows Firewall because you lose other benefits, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, Windows Service Hardening, and [boot time filters][BTF]. Non-Microsoft firewall software can programmatically disable only the [rule types][FWRC] of Windows Firewall that need to be disabled for compatibility. You shouldn't disable the firewall yourself for this purpose. +Microsoft recommends that you don't disable Windows Firewall because you lose other benefits, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, Windows Service Hardening, and [boot time filters][BTF]. Non-Microsoft firewall software can programmatically disable only the [rule types][FWRC] of Windows Firewall that need to be disabled for compatibility. You shouldn't disable the firewall yourself for this purpose. If disabling Windows Firewall is required, don't disable it by stopping the Windows Firewall service (in the Services snap-in, the display name is Windows Defender Firewall and the service name is MpsSvc). Stopping the Windows Firewall service isn't supported by Microsoft and can cause problems, including: - Start menu can stop working diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure.md b/windows/security/operating-system-security/network-security/windows-firewall/configure.md index f6540ef8df..b4ca3feac9 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/configure.md @@ -1,8 +1,8 @@ --- -title: Configure firewall rules with group policy +title: Configure Firewall Rules With Group Policy description: Learn how to configure firewall rules using group policy with the Windows Firewall with Advanced Security console. ms.topic: how-to -ms.date: 09/06/2024 +ms.date: 04/07/2025 --- # Configure rules with group policy diff --git a/windows/security/operating-system-security/network-security/windows-firewall/dynamic-keywords.md b/windows/security/operating-system-security/network-security/windows-firewall/dynamic-keywords.md index 55844489b4..30210647b8 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/dynamic-keywords.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/dynamic-keywords.md @@ -1,8 +1,8 @@ --- -title: Windows Firewall dynamic keywords +title: Windows Firewall Dynamic Keywords description: Learn about Windows Firewall dynamic keywords and how to configure it using Windows PowerShell. ms.topic: how-to -ms.date: 09/06/2024 +ms.date: 04/07/2025 --- # Windows Firewall dynamic keywords diff --git a/windows/security/operating-system-security/network-security/windows-firewall/filter-origin-documentation.md b/windows/security/operating-system-security/network-security/windows-firewall/filter-origin-documentation.md index 3b126e154b..67bab0410a 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/filter-origin-documentation.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/filter-origin-documentation.md @@ -1,8 +1,8 @@ --- -title: Filter origin audit log +title: Filter Origin Audit Log description: Learn about Windows Firewall and filter origin audit log to troubleshoot packet drops. ms.topic: troubleshooting -ms.date: 09/06/2024 +ms.date: 04/07/2025 --- # Filter origin audit log diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md index c0f1b76b53..dee3c9a4a0 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md @@ -1,8 +1,8 @@ --- -title: Hyper-V firewall +title: Hyper-V Firewall description: Learn how to configure Hyper-V firewall rules and settings using PowerShell or Configuration Service Provider (CSP). ms.topic: how-to -ms.date: 09/06/2024 +ms.date: 04/07/2025 appliesto: - ✅ Windows 11 --- diff --git a/windows/security/operating-system-security/network-security/windows-firewall/index.md b/windows/security/operating-system-security/network-security/windows-firewall/index.md index 4de85b91d4..1a10def08e 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/index.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/index.md @@ -1,8 +1,8 @@ --- -title: Windows Firewall overview +title: Windows Firewall Overview description: Learn overview information about the Windows Firewall security feature. ms.topic: overview -ms.date: 09/06/2024 +ms.date: 04/07/2025 --- # Windows Firewall overview @@ -75,7 +75,7 @@ The *public network* profile is designed with higher security in mind for public ## Disable Windows Firewall -Microsoft recommends that you don't disable Windows Firewall because you lose other benefits, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, Windows Service Hardening, and [boot time filters][BTF]. Non-Microsoft firewall software can programmatically disable only the [rule types][FWRC] of Windows Firewall that need to be disabled for compatibility. You shouldn't disable the firewall yourself for this purpose. +Microsoft recommends that you don't disable Windows Firewall because you lose other benefits, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, Windows Service Hardening, and [boot time filters][BTF]. Non-Microsoft firewall software can programmatically disable only the [rule types][FWRC] of Windows Firewall that need to be disabled for compatibility. You shouldn't disable the firewall yourself for this purpose. If disabling Windows Firewall is required, don't disable it by stopping the Windows Firewall service (in the Services snap-in, the display name is Windows Defender Firewall and the service name is MpsSvc). Stopping the Windows Firewall service isn't supported by Microsoft and can cause problems, including: - Start menu can stop working diff --git a/windows/security/operating-system-security/network-security/windows-firewall/quarantine.md b/windows/security/operating-system-security/network-security/windows-firewall/quarantine.md index 66d7f05f80..5c15f745cf 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/quarantine.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/quarantine.md @@ -1,8 +1,8 @@ --- -title: Quarantine behavior +title: Quarantine Behavior description: Learn about Windows Firewall and the quarantine feature behavior. ms.topic: concept-article -ms.date: 09/06/2024 +ms.date: 04/07/2025 --- # Quarantine behavior diff --git a/windows/security/operating-system-security/network-security/windows-firewall/rules.md b/windows/security/operating-system-security/network-security/windows-firewall/rules.md index 3e4efcc4cd..6b6eef9e48 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/rules.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/rules.md @@ -1,7 +1,7 @@ --- -title: Windows Firewall rules +title: Windows Firewall Rules description: Learn about Windows Firewall rules and design recommendations. -ms.date: 09/06/2024 +ms.date: 04/07/2025 ms.topic: concept-article --- @@ -21,7 +21,7 @@ In many cases, allowing specific types of inbound traffic is required for applic Because of 1 and 2, when designing a set of policies, you should make sure that there are no other explicit block rules that could inadvertently overlap, thus preventing the traffic flow you wish to allow. -Outbound rules follow the same precedence behaviors. +Outbound rules follow the same precedence behaviors. > [!NOTE] > Windows Firewall doesn't support weighted, administrator-assigned rule ordering. An effective policy set with expected behaviors can be created by keeping in mind the few, consistent, and logical rule behaviors as described. @@ -33,12 +33,12 @@ When first installed, network applications and services issue a *listen call* sp :::row::: :::column span="2"::: If there's no active application or administrator-defined allow rule(s), a dialog box prompts the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network: - + - If the user has admin permissions, they're prompted. If they respond *No* or cancel the prompt, block rules are created. Two rules are typically created, one each for TCP and UDP traffic - If the user isn't a local admin and they are prompted, block rules are created. It doesn't matter what option is selected To disable the notification prompt, you can use the [command line](/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line) or the **Windows Firewall with Advanced Security** console - + :::column-end::: :::column span="2"::: :::image type="content" source="images/uac.png" alt-text="Screenshot showing the User Account Control (UAC) prompt to allow Microsoft Teams." border="false"::: diff --git a/windows/security/operating-system-security/network-security/windows-firewall/tools.md b/windows/security/operating-system-security/network-security/windows-firewall/tools.md index bd17b1a53c..6c1d8fbbd2 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/tools.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/tools.md @@ -1,7 +1,7 @@ --- -title: Windows Firewall tools +title: Windows Firewall Tools description: Learn about the available tools to configure Windows Firewall and firewall rules. -ms.date: 09/06/2024 +ms.date: 04/07/2025 ms.topic: best-practice --- diff --git a/windows/security/operating-system-security/network-security/windows-firewall/troubleshooting-uwp-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/troubleshooting-uwp-firewall.md index 07a5074ab6..0d7e9b0c1b 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/troubleshooting-uwp-firewall.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/troubleshooting-uwp-firewall.md @@ -2,7 +2,7 @@ title: Troubleshooting UWP App Connectivity Issues in Windows Firewall description: Troubleshooting UWP App Connectivity Issues in Windows Firewall ms.topic: troubleshooting -ms.date: 09/06/2024 +ms.date: 04/07/2025 --- # Troubleshooting UWP App Connectivity Issues diff --git a/windows/security/security-foundations/certification/validations/cc-windows-server-previous.md b/windows/security/security-foundations/certification/validations/cc-windows-server-previous.md index d41e015648..bba88b0a2d 100644 --- a/windows/security/security-foundations/certification/validations/cc-windows-server-previous.md +++ b/windows/security/security-foundations/certification/validations/cc-windows-server-previous.md @@ -63,7 +63,7 @@ The following tables list the completed Common Criteria certifications for Windo [security-target-april-2014]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf [security-target-january-2014]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf [security-target-march-2011]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf -[security-target-july-2009]: https://www.microsoft.com/download/en/details.aspx?id=29305 +[security-target-july-2009]: https://www.microsoft.com/download/details.aspx?id=29305 [security-target-july-2009-hyperv]: https://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf [security-target-august-2009]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf [security-target-september-2008]: https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf @@ -77,7 +77,7 @@ The following tables list the completed Common Criteria certifications for Windo [admin-guide-january-2015-pro]: https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx [admin-guide-april-2014]: https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf [admin-guide-january-2014]: https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx -[admin-guide-july-2009]: https://www.microsoft.com/download/en/details.aspx?id=29308 +[admin-guide-july-2009]: https://www.microsoft.com/download/details.aspx?id=29308 [admin-guide-july-2009-hyperv]: https://www.microsoft.com/en-us/download/details.aspx?id=14252 diff --git a/windows/whats-new/deprecated-features-resources.md b/windows/whats-new/deprecated-features-resources.md index a276519e51..e17e62955c 100644 --- a/windows/whats-new/deprecated-features-resources.md +++ b/windows/whats-new/deprecated-features-resources.md @@ -1,7 +1,7 @@ --- title: Resources for deprecated features in the Windows client description: Resources and details for deprecated features in the Windows client. -ms.date: 08/14/2024 +ms.date: 04/08/2025 ms.service: windows-client ms.subservice: itpro-fundamentals ms.localizationpriority: medium @@ -21,6 +21,15 @@ appliesto: This article provides additional resources about [deprecated features for Windows client](deprecated-features.md) that may be needed by IT professionals. The following information is provided to help IT professionals plan for the removal of deprecated features: +## Windows UWP Map control and Windows Maps platform APIs + +In May 2024, we announced the unification of [Bing Maps for Enterprise](https://blogs.bing.com/maps/2024-05/Microsoft-Announces-Vision-for-Next-Generation-of-Enterprise-Maps) with [Azure Maps](https://azure.microsoft.com/products/azure-maps). This means that going forward, Azure Maps will combine the best of Bing Maps for Enterprise and Azure Maps. If your solution uses the Windows UWP Map control, look to move to an Azure Maps based replacement within one year of this deprecation notice rather than the end date for the entire Bing Maps for Enterprise platform. The following resources can help you with this transition: +- [Migrate from Bing Maps to Azure Maps](/azure/azure-maps/migrate-bing-maps-overview) +- [Use the Azure Maps map control](/azure/azure-maps/how-to-use-map-control) +- [Azure Maps code samples](https://samples.azuremaps.com/) +- [Bing Maps Blog](https://blogs.bing.com/maps) +- [Azure Maps Blog](https://techcommunity.microsoft.com/category/azure/blog/azuremapsblog) + ## Paint 3D Paint 3D is deprecated and will be removed from the Microsoft Store on November 4, 2024. Existing installations of Paint 3D will continue to work, but the app will no longer be available for download from the Microsoft Store. If you remove the app, you can reinstall it from the Microsoft Store until November 4, 2024. After that date, Paint 3D will no longer be available for download. Paint 3D was preinstalled on some Windows 10 devices, but wasn't preinstalled on Windows 11 devices. Some alternatives to Paint 3D include: diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md index 88573222b7..227c3532f5 100644 --- a/windows/whats-new/deprecated-features.md +++ b/windows/whats-new/deprecated-features.md @@ -1,7 +1,7 @@ --- title: Deprecated features in the Windows client description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11. -ms.date: 02/19/2025 +ms.date: 04/08/2025 ms.service: windows-client ms.subservice: itpro-fundamentals ms.localizationpriority: medium @@ -47,6 +47,7 @@ The features in this article are no longer being actively developed, and might b | Feature | Details and mitigation | Deprecation announced | |---|---|---| +| Windows UWP Map control and Windows Maps platform APIs | The [Windows UWP Map control](/uwp/api/windows.ui.xaml.controls.maps) and [Windows Maps platform APIs](/uwp/api/windows.services.maps) within Windows have been deprecated as of April 8, 2025. The Maps UWP Control and Maps platform support within Windows will continue to function but will not be updated. For more information, see [Resources for deprecated features](deprecated-features-resources.md#windows-uwp-map-control-and-windows-maps-platform-apis). | April 8, 2025 | | Line printer daemon (LPR/LPD) | Deprecation reminder: [The line printer daemon protocol (LPR/LPD) was deprecated](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831568(v=ws.11)#printing) starting in Windows Server 2012. As removal of the line printer daemon protocol nears, we'd like to remind customers to ensure their environments are prepared for removal. When these features are eventually removed, clients that print to a server using this protocol, such as UNIX clients, will not be able to connect or print. Instead, UNIX clients should use IPP. Windows clients can connect to UNIX shared printers using the [Windows Standard Port Monitor](/troubleshoot/windows-server/printing/standard-port-monitor-for-tcpip). | [Original announcement: Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831568(v=ws.11)#printing)

    Courtesy reminder: February 2025 | | Location History | We are deprecating and removing the Location History feature, an [API](/uwp/api/windows.devices.geolocation.geolocator.getgeopositionhistoryasync) that allowed Cortana to access 24 hours of device history when location was enabled. With the removal of the Location History feature, location data will no longer be saved locally and the corresponding settings will also be removed from the **Privacy & Security** > **Location** page in **Settings**. | February 2025 | | Suggested actions | Suggested actions that appear when you copy a phone number or future date in Windows 11 are deprecated and will be removed in a future Windows 11 update. | December 2024 |