deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 22:07:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

merged

Browse Source
This commit is contained in:
Justin Hall 2018-12-13 15:11:32 -08:00
commit 744bacbc14
93 changed files with 3821 additions and 1510 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.json
View File

@ -13891,6 +13891,11 @@
"redirect_document_id": true
},
{
"source_path": "windows/deployment/windows-autopilot/windows-10-autopilot.md",
"redirect_url": "/windows/deployment/windows-autopilot/windows-autopilot",
"redirect_document_id": true
},
{
"source_path": "windows/privacy/manage-windows-endpoints.md",
"redirect_url": "/windows/privacy/manage-windows-1809-endpoints",
"redirect_document_id": true

27
devices/surface-hub/create-a-device-account-using-office-365.md
View File

@ -75,10 +75,16 @@ From here on, you'll need to finish the account creation process using PowerShel
In order to run cmdlets used by these PowerShell scripts, the following must be installed for the admin PowerShell console:
- [Microsoft Online Services Sign-In Assistant for IT Professionals BETA](https://go.microsoft.com/fwlink/?LinkId=718149)
- [Microsoft Online Services Sign-In Assistant for IT Professionals RTW](https://www.microsoft.com/en-us/download/details.aspx?id=41950)
- [Windows Azure Active Directory Module for Windows PowerShell](https://www.microsoft.com/web/handlers/webpi.ashx/getinstaller/WindowsAzurePowershellGet.3f.3f.3fnew.appids)
- [Skype for Business Online, Windows PowerShell Module](https://www.microsoft.com/download/details.aspx?id=39366)
Install the following module in Powershell
``` syntax
install-module AzureAD
Install-module MsOnline
```
### Connecting to online services
1. Run Windows PowerShell as Administrator.
@ -200,8 +206,7 @@ In order to enable Skype for Business, your environment will need to meet the fo
2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
```PowerShell
Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool
"sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress
Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress
```
If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
@ -356,18 +361,22 @@ In order to enable Skype for Business, your environment will need to meet the fo
Import-PSSession $cssess -AllowClobber
```
2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
2. Retrieve your Surface Hub account Registrar Pool
If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
```PowerShell
Get-CsOnlineUser -Identity alice@contoso.microsoft.com| fl *registrarpool*
```
3. To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
```PowerShell
Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool
"sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress
```
If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
```PowerShell
Get-CsOnlineUser -Identity alice@contoso.microsoft.com| fl *registrarpool*
```

16
devices/surface/microsoft-surface-data-eraser.md
View File

@ -150,6 +150,22 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
Microsoft Surface Data Eraser is periodically updated by Microsoft. For information about the changes provided in each new version, see the following:
### Version 3.2.78.0
*Release Date: 4 Dec 2018*
This version of Surface Data Eraser:
- Includes bug fixes
### Version 3.2.75.0
*Release Date: 12 November 2018*
This version of Surface Data Eraser:
- Adds support to Surface Studio 2
- Fixes issues with SD card
### Version 3.2.69.0
*Release Date: 12 October 2018*

4
devices/surface/surface-enterprise-management-mode.md
View File

@ -191,8 +191,10 @@ For use with SEMM and Microsoft Surface UEFI Configurator, the certificate must
## Version History
### Version 2.26.136.0
* Add support to Surface Studio 2
### Version 2.21.136.9
### Version 2.21.136.0
* Add support to Surface Pro 6
* Add support to Surface Laptop 2

2
mdop/mbam-v2/understanding-mbam-reports-mbam-2.md
View File

@ -159,7 +159,7 @@ Removable Data Volume encryption status will not be shown in the report.
</tr>
<tr class="even">
<td align="left"><p>Policy-Fixed Data Drive</p></td>
<td align="left"><p>Indicates if encryption is required for the dixed data drive.</p></td>
<td align="left"><p>Indicates if encryption is required for the fixed data drive.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Policy Removable Data Drive</p></td>

11
windows/application-management/apps-in-windows-10.md
View File

@ -8,10 +8,12 @@ ms.pagetype: mobile
ms.author: elizapo
author: lizap
ms.localizationpriority: medium
ms.date: 08/23/2018
ms.date: 12/12/2018
---
# Understand the different apps included in Windows 10
>Applies to: Windows 10
The following types of apps run on Windows 10:
- Windows apps - introduced in Windows 8, primarily installed from the Store app.
- Universal Windows Platform (UWP) apps - designed to work across platforms, can be installed on multiple platforms including Windows client, Windows Phone, and Xbox. All UWP apps are also Windows apps, but not all Windows apps are UWP apps.
@ -38,6 +40,8 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an
> Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName
> ```
<br>
| Package name | App name | 1703 | 1709 | 1803 | 1809 | Uninstall through UI? |
|----------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:|
| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | x | | | | Yes |
@ -83,10 +87,9 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an
| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | No |
---
>[!NOTE]
>The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it.
---
## System apps
@ -98,6 +101,8 @@ System apps are integral to the operating system. Here are the typical system ap
> Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation
> ```
<br>
| Name | Package Name | 1703 | 1709 | 1803 | Uninstall through UI? |
|----------------------------------|---------------------------------------------|:-----:|:----:|:----:|-----------------------|
| File Picker | 1527c705-839a-4832-9118-54d4Bd6a0c89 | | | x | No |

15
windows/client-management/TOC.md
View File

@ -12,16 +12,19 @@
## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)
## [Windows libraries](windows-libraries.md)
## [Troubleshoot Windows 10 clients](windows-10-support-solutions.md)
### [Data collection for troubleshooting 802.1x Authentication](data-collection-for-802-authentication.md)
### [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md)
### [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
### [Advanced troubleshooting Wireless Network Connectivity](advanced-troubleshooting-wireless-network-connectivity.md)
### [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md)
### [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md)
### [Advanced troubleshooting for Windows networking issues](troubleshoot-networking.md)
#### [Advanced troubleshooting Wireless Network Connectivity](advanced-troubleshooting-wireless-network-connectivity.md)
#### [Data collection for troubleshooting 802.1x Authentication](data-collection-for-802-authentication.md)
#### [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md)
### [Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md)
#### [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md)
#### [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md)
#### [Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md)
#### [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md)
### [Advanced troubleshooting for Windows start-up issues](troubleshoot-windows-startup.md)
#### [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
#### [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md)
#### [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md)
#### [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md)
## [Mobile device management for solution providers](mdm/index.md)
## [Change history for Client management](change-history-for-client-management.md)

BIN
windows/client-management/images/check-disk.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

BIN
windows/client-management/images/controlset.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 91 KiB

BIN
windows/client-management/images/loadhive.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 73 KiB

BIN
windows/client-management/images/pendingupdate.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 53 KiB

BIN
windows/client-management/images/revertpending.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 29 KiB

BIN
windows/client-management/images/screenshot1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 57 KiB

BIN
windows/client-management/images/sfc-scannow.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.7 KiB

BIN
windows/client-management/images/unloadhive.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

BIN
windows/client-management/images/unloadhive1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

BIN
windows/client-management/mdm/images/device-manager-disk-drives.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/client-management/mdm/images/disk-drive-hardware-id.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

14
windows/client-management/mdm/policy-csp-bluetooth.md
View File

@ -354,6 +354,12 @@ Footnote:
When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly defined Bluetooth profiles and services. It is an allowed list, enabling admins to still allow custom Bluetooth profiles that are not defined by the Bluetooth Special Interests Group (SIG).
- Disabling a service shall block incoming and outgoing connections for such services
- Disabling a service shall not publish an SDP record containing the service being blocked
- Disabling a service shall not allow SDP to expose a record for a blocked service
- Disabling a service shall log when a service is blocked for auditing purposes
- Disabling a service shall take effect upon reload of the stack or system reboot
To define which profiles and services are allowed, enter the semicolon delimited profile or service Universally Unique Identifiers (UUID). To get a profile UUID, refer to the [Service Discovery](https://www.bluetooth.com/specifications/assigned-numbers/service-discovery) page on the Bluetooth SIG website.
These UUIDs all use the same base UUID with the profile identifiers added to the beginning of the base UUID.
@ -449,4 +455,10 @@ Footnote: * The Surface pen uses the HID over GATT profile
|Object Exchange (OBEX) |Protocol for file transfer |0x0008 |
|PnP Information|Used to identify devices occasionally|0x1200|
{00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}
{00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}
Disabling file transfer shall have the following effects
- Fsquirt shall not allow sending of files
- Fsquirt shall not allow receiving of files
- Fsquirt shall display error message informing user of policy preventing file transfer
- 3rd-party apps shall not be permitted to send or receive files using MSFT Bluetooth API

7
windows/client-management/mdm/policy-csp-deviceinstallation.md
View File

@ -463,10 +463,13 @@ If you disable or do not configure this policy setting, devices can be installed
For more information about hardware IDs and compatible IDs, see [Device Identification Strings](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings).
To get the hardware ID for a device, open Device Manager, right-click the name of the device and click **Properties**. On the **Details** tab, select **Hardware Ids** from the **Property** menu:
You can get the hardware ID in Device Manager. For example, USB drives are listed under Disk drives:
![Hardware IDs](images/hardware-ids.png)
![Disk drives](images/device-manager-disk-drives.png)
Right-click the name of the device, click **Properties** > **Details** and select **Hardware Ids** as the **Property**:
![Hardware IDs](images/disk-drive-hardware-id.png)
<!--/Description-->
> [!TIP]

280
windows/client-management/troubleshoot-inaccessible-boot-device.md Normal file
View File

@ -0,0 +1,280 @@
---
title: Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device
description: Learn how to troubleshoot Stop error 7B or Inaccessible_Boot_Device
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
ms.topic: troubleshooting
author: kaushika-msft
ms.localizationpriority: medium
ms.author: kaushika
ms.date: 12/11/2018
---
# Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device
This article provides steps to troubleshoot **Stop error 7B: Inaccessible_Boot_Device**. This error may occur after some changes are made to the computer, or immediately after you deploy Windows on the computer.
## Causes of the Inaccessible_Boot_Device Stop error
Any one of the following factors may cause the stop error:
* Missing, corrupted, or misbehaving filter drivers that are related to the storage stack
* File system corruption
* Changes to the storage controller mode or settings in the BIOS
* Using a different storage controller than the one that was used when Windows was installed
* Moving the hard disk to a different computer that has a different controller
* A faulty motherboard or storage controller, or faulty hardware
* In unusual cases: the failure of the TrustedInstaller service to commit newly installed updates because of Component Based Store corruptions
* Corrupted files in the **Boot** partition (for example, corruption in the volume that is labeled **SYSTEM** when you run the `diskpart` > `list vol` command)
## Troubleshoot this error
Start the computer in [Windows Recovery Mode (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre). To do this, follow these steps.
1. Start the system by using [the installation media for the installed version of Windows](https://support.microsoft.com/help/15088).
2. On the **Install Windows** screen, select **Next** > **Repair your computer** .
3. On the **System Recovery Options** screen, select **Next** > **Command Prompt** .
### Verify that the boot disk is connected and accessible
#### Step 1
At the WinRE Command prompt, run `diskpart`, and then run `list disk`.
A list of the physical disks that are attached to the computer should be displayed and resemble the following display:
```
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online **size* GB 0 B *
```
If the computer uses a Unified Extensible Firmware Interface (UEFI) startup interface, there will be an asterisk (*) in the **GPT** column.
If the computer uses a basic input/output system (BIOS) interface, there will not be an asterisk in the **Dyn** column.
#### Step 2
If the `list disk` command lists the OS disks correctly, run the `list vol` command in `diskpart`.
`list vol` generates an output that resembles the following display:
```
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 0 Windows RE NTFS Partition 499 MB Healthy
Volume 1 C OSDisk NTFS Partition 222 GB Healthy Boot
Volume 2 SYSTEM FAT32 Partition 499 MB Healthy System
```
>[!NOTE]
>If the disk that contains the OS is not listed in the output, you will have to engage the OEM or virtualization manufacturer.
### Verify the integrity of Boot Configuration Database
Check whether the Boot Configuration Database (BCD) has all the correct entries. To do this, run `bcdedit` at the WinRE command prompt.
To verify the BCD entries:
1. Examine the **Windows Boot Manager** section that has the **{bootmgr}** identifier. Make sure that the **device** and **path** entries point to the correct device and boot loader file.
An example output if the computer is UEFI-based:
```
device partition=\Device\HarddiskVolume2
path \EFI\Microsoft\Boot\bootmgfw.efi
```
An example output if the machine is BIOS based:
```
Device partition=C:
```
>[!NOTE]
>This output may not contain a path.
2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device** , **path** , **osdevice,** and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder.
>[!NOTE]
>If the computer is UEFI-based, the **bootmgr** and **winload** entires under **{default}** will contain an **.efi** extension.
![bcdedit](images/screenshot1.png)
If any of the information is wrong or missing, we recommend that you create a backup of the BCD store. To do this, run `bcdedit /export C:\temp\bcdbackup`. This command creates a backup in **C:\\temp\\** that is named **bcdbackup** . To restore the backup, run `bcdedit /import C:\temp\bcdbackup`. This command overwrites all BCD settings by using the settings in **bcdbackup** .
After the backup is completed, run the following command to make the changes:
<pre>bcdedit /set *{identifier}* option value</pre>
For example, if the device under {default} is wrong or missing, run the following command to set it: `bcdedit /set {default} device partition=C:`
If you want to re-create the BCD completely, or if you get a message that states that "**The boot configuration data store could not be opened. The system could not find the file specified,** " run `bootrec /rebuildbcd`.
If the BCD has the correct entries, check whether the **winload** and **bootmgr** entries exist in the correct location per the path that is specified in the **bcdedit** command. By default, **bootmgr** in the BIOS partition will be in the root of the **SYSTEM** partition. To see the file, run `Attrib -s -h -r`.
If the files are missing, and you want to rebuild the boot files, follow these steps:
1. Copy all the contents under the **SYSTEM** partition to another location. Alternatively, you can use the command prompt to navigate to the OS drive, create a new folder, and then copy all the files and folders from the **SYSTEM** volume, as follows:
```
D:\> Mkdir BootBackup
R:\> Copy *.* D:\BootBackup
```
2. If you are using Windows 10, or if you are troubleshooting by using a Windows 10 ISO at the Windows Pre-Installation Environment command prompt, you can use the **bcdboot** command to re-create the boot files, as follows:
```cmd
Bcdboot <**OSDrive* >:\windows /s <**SYSTEMdrive* >: /f ALL
```
For example: if we assign the ,System Drive> (WinRE drive) the letter R and the <OSdrive> is the letter D, this command would be the following:
```cmd
Bcdboot D:\windows /s R: /f ALL
```
>[!NOTE]
>The **ALL** part of the **bcdboot** command writes all the boot files (both UEFI and BIOS) to their respective locations.
If you do not have a Windows 10 ISO, you must format the partition and copy **bootmgr** from another working computer that has a similar Windows build. To do this, follow these steps:
1. Start **Notepad** .
2. Press Ctrl+O.
3. Navigate to the system partition (in this example, it is R).
4. Right-click the partition, and then format it.
### Troubleshooting if this issue occurs after a Windows Update installation
Run the following command to verify the Windows update installation and dates:
```cmd
Dism /Image:<Specify the OS drive>: /Get-packages
```
After you run this command, you will see the **Install pending** and **Uninstall Pending ** packages:
![Dism output](images/pendingupdate.png)
1. Run the `dism /Image:C:\ /Cleanup-Image /RevertPendingActions` command. Replace **C:** with the system partition for your computer.
![Dism output](images/revertpending.png)
2. Navigate to ***OSdriveLetter* :\Windows\WinSxS** , and then check whether the **pending.xml** file exists. If it does, rename it to **pending.xml.old**.
3. To revert the registry changes, type **regedit** at the command prompt to open **Registry Editor**.
4. Select **HKEY_LOCAL_MACHINE**, and then go to **File** > **Load Hive**.
5. Navigate to **OSdriveLetter:\Windows\System32\config**, select the file that is named **COMPONENT** (with no extension), and then select **Open**. When you are prompted, enter the name **OfflineComponentHive** for the new hive
![Load Hive](images/loadhive.png)
6. Expand **HKEY_LOCAL_MACHINE\OfflineComponentHive**, and check whether the **PendingXmlIdentifier** key exists. Create a backup of the **OfflineComponentHive** key, and then delete the **PendingXmlIdentifier** key.
7. Unload the hive. To do this, highlight **OfflineComponentHive**, and then select **File** > **Unload hive**.
![Unload Hive](images/unloadhive.png)![Unload Hive](images/unloadhive1.png)
8. Select **HKEY_LOCAL_MACHINE**, go to **File** > **Load Hive**, navigate to ***OSdriveLetter* :\Windows\System32\config**, select the file that is named **SYSTEM** (with no extension), and then select **Open** . When you are prompted, enter the name **OfflineSystemHive** for the new hive.
9. Expand **HKEY_LOCAL_MACHINE\OfflineSystemHive**, and then select the **Select** key. Check the data for the **Default** value.
10. If the data in **HKEY_LOCAL_MACHINE\OfflineSystemHive\Select\Default** is **1** , expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet001**. If it is **2**, expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet002**, and so on.
11. Expand **Control\Session Manager**. Check whether the **PendingFileRenameOperations** key exists. If it does, back up the **SessionManager** key, and then delete the **PendingFileRenameOperations** key.
### Verifying boot critical drivers and services
#### Check services
1. Follow steps 1-10 in the "Troubleshooting if this issue occurs after an Windows Update installation" section. (Step 11 does not apply to this procedure.)
2. Expand **Services**.
3. Make sure that the following registry keys exist under **Services**:
* ACPI
* DISK
* VOLMGR
* PARTMGR
* VOLSNAP
* VOLUME
If these keys exist, check each one to make sure that it has a value that is named **Start** and that it is set to **0**. If not, set the value to **0**.
If any of these keys do not exist, you can try to replace the current registry hive by using the hive from **RegBack**. To do this, run the following commands:
```cmd
cd OSdrive:\Windows\System32\config
ren SYSTEM SYSTEM.old
copy OSdrive:\Windows\System32\config\RegBack\SYSTEM OSdrive:\Windows\System32\config\
```
#### Check upper and lower filter drivers
Check whether there are any non-Microsoft upper and lower filter drivers on the computer and that they do not exist on another, similar working computer. if they do exist, remove the upper and lower filter drivers:
1. Expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet001\Control**.
2. Look for any **UpperFilters** or **LowerFilters** entries.
>[!NOTE]
>These filters are mainly related to storage. After you expand the **Control** key in the registry, you can search for **UpperFilters** and **LowerFilters**.
The following are some of the different registry entries in which you may find these filter drivers. These entries are located under **ControlSet** and are designated as **Default** :
\Control\Class\\{4D36E96A-E325-11CE-BFC1-08002BE10318}
\Control\Class\\{4D36E967-E325-11CE-BFC1-08002BE10318}
\Control\Class\\{4D36E97B-E325-11CE-BFC1-08002BE10318}
\Control\Class\\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
![Registry](images/controlset.png)
If an **UpperFilters** or **LowerFilters** entry is non-standard (for example, it is not a Windows default filter driver, such as PartMgr), remove the entry by double-clicking it in the right pane, and then deleting only that value.
>[!NOTE]
>There could be multiple entries.
The reason that these entries may affect us is because there may be an entry in the **Services** branch that has a START type set to 0 or 1 (indicating that it is loaded at the Boot or Automatic part of the boot process). Also, either the file that is referred to is missing or corrupted, or it may be named differently than what is listed in the entry.
>[!NOTE]
>If there actually is a service that is set to **0** or **1** that corresponds to an **UpperFilters** or **LowerFilters** entry, setting the service to disabled in the **Services** registry (as discussed in steps 2 and 3 of the Check services section) without removing the **Filter Driver** entry causes the computer to crash and generate a 0x7b Stop error.
### Running SFC and Chkdsk
If the computer still does not start, you can try to run a **chkdisk** process on the system drive, and also run System File Checker. To do this, run the following commands at a WinRE command prompt:
* `chkdsk /f /r OsDrive:`
![Check disk](images/check-disk.png)
* `sfc /scannow /offbootdir=OsDrive:\ /offwindir=OsDrive:\Windows`
![SFC scannow](images/sfc-scannow.png)

20
windows/client-management/troubleshoot-networking.md Normal file
View File

@ -0,0 +1,20 @@
---
title: Advanced troubleshooting for Windows networking issues
description: Learn how to troubleshoot networking issues.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
author: kaushika-msft
ms.localizationpriority: medium
ms.author: kaushika
ms.date:
---
# Advanced troubleshooting for Windows networking issues
In these topics, you will learn how to troubleshoot common problems related to Windows networking.
- [Advanced troubleshooting Wireless Network](advanced-troubleshooting-wireless-network-connectivity.md)
- [Data collection for troubleshooting 802.1x authentication](data-collection-for-802-authentication.md)
- [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md)
- [Advanced troubleshooting for TCP/IP issues](troubleshoot-tcpip.md)

16
windows/client-management/troubleshoot-tcpip-connectivity.md
View File

@ -36,17 +36,17 @@ If the initial TCP handshake is failing because of packet drops then you would s
Source side connecting on port 445:
![](images/tcp-ts-6.png)
![Screenshot of frame summary in Network Monitor](images/tcp-ts-6.png)
Destination side: applying the same filter, you do not see any packets.
![](images/tcp-ts-7.png)
![Screenshot of frame summary with filter in Network Monitor](images/tcp-ts-7.png)
For the rest of the data, TCP will retransmit the packets 5 times.
**Source 192.168.1.62 side trace:**
![](images/tcp-ts-8.png)
![Screenshot showing packet side trace](images/tcp-ts-8.png)
**Destination 192.168.1.2 side trace:**
@ -71,15 +71,15 @@ In the below screenshots, you see that the packets seen on the source and the de
**Source Side**
![](images/tcp-ts-9.png)
![Screenshot of packets on source side in Network Monitor](images/tcp-ts-9.png)
**On the destination-side trace**
![](images/tcp-ts-10.png)
![Screenshot of packets on destination side in Network Monitor](images/tcp-ts-10.png)
You also see an ACK+RST flag packet in a case when the TCP establishment packet SYN is sent out. The TCP SYN packet is sent when the client wants to connect on a particular port, but if the destination/server for some reason does not want to accept the packet, it would send an ACK+RST packet.
![](images/tcp-ts-11.png)
![Screenshot of packet flag](images/tcp-ts-11.png)
The application which is causing the reset (identified by port numbers) should be investigated to understand what is causing it to reset the connection.
@ -102,8 +102,8 @@ auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /fai
You can then review the Security event logs to see for a packet drop on a particular port-IP and a filter ID associated with it.
![](images/tcp-ts-12.png)
![Screenshot of Event Properties](images/tcp-ts-12.png)
Now, run the command `netsh wfp show state`, this will generate a wfpstate.xml file. Once you open this file and filter for the ID you find in the above event (2944008), you will be able to see a firewall rule name associated with this ID which is blocking the connection.
![](images/tcp-ts-13.png)
![Screenshot of wfpstate.xml file](images/tcp-ts-13.png)

20
windows/client-management/troubleshoot-tcpip-port-exhaust.md
View File

@ -54,21 +54,21 @@ Specifically, about outbound connections as incoming connections will not requir
Since outbound connections start to fail, you will see a lot of the below behaviors:
- Unable to login to the machine with domain credentials, however login with local account works. Domain login will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain login might still work.
- Unable to sign in to the machine with domain credentials, however sign-in with local account works. Domain sign-in will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain sign-in might still work.
![](images/tcp-ts-14.png)
![Screenshot of error for NETLOGON in Event Viewer](images/tcp-ts-14.png)
- Group Policy update failures:
![](images/tcp-ts-15.png)
![Screenshot of event properties for Group Policy failure](images/tcp-ts-15.png)
- File shares are inaccessible:
![](images/tcp-ts-16.png)
![Screenshot of error message "Windows cannot access"](images/tcp-ts-16.png)
- RDP from the affected server fails:
![](images/tcp-ts-17.png)
![Screenshot of error when Remote Desktop is unable to connect](images/tcp-ts-17.png)
- Any other application running on the machine will start to give out errors
@ -82,15 +82,15 @@ If you suspect that the machine is in a state of port exhaustion:
a. **Event ID 4227**
![](images/tcp-ts-18.png)
![Screenshot of event id 4227 in Event Viewer](images/tcp-ts-18.png)
b. **Event ID 4231**
![](images/tcp-ts-19.png)
![Screenshot of event id 4231 in Event Viewer](images/tcp-ts-19.png)
3. Collect a `netstat -anob output` from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID.
![](images/tcp-ts-20.png)
![Screenshot of netstate command output](images/tcp-ts-20.png)
After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state.
@ -132,7 +132,7 @@ If method 1 does not help you identify the process (prior to Windows 10 and Wind
1. Add a column called “handles” under details/processes.
2. Sort the column handles to identify the process with the highest number of handles. Usually the process with handles greater than 3000 could be the culprit except for processes like System, lsass.exe, store.exe, sqlsvr.exe.
![](images/tcp-ts-21.png)
![Screenshot of handles column in Windows Task Maner](images/tcp-ts-21.png)
3. If any other process than these has a higher number, stop that process and then try to login using domain credentials and see if it succeeds.
@ -153,7 +153,7 @@ Steps to use Process explorer:
File \Device\AFD
![](images/tcp-ts-22.png)
![Screenshot of Process Explorer](images/tcp-ts-22.png)
10. Some are normal, but large numbers of them are not (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you have further proven that the app is the cause. Contact the vendor of that app.

10
windows/client-management/troubleshoot-tcpip-rpc-errors.md
View File

@ -158,15 +158,15 @@ Open the traces in [Microsoft Network Monitor 3.4](troubleshoot-tcpip-netmon.md)
- Look for the “EPM” Protocol Under the “Protocol” column.
- Now check if you are getting a response from the server or not, if you get a response note the Dynamic Port number that you have been allocated to use.
- Now check if you are getting a response from the server. If you get a response, note the dynamic port number that you have been allocated to use.
![](images/tcp-ts-23.png)
![Screenshot of Network Monitor with dynamic port highlighted](images/tcp-ts-23.png)
- Check if we are connecting successfully to this Dynamic port successfully.
- The filter should be something like this: tcp.port==<dynamic-port-allocated> and ipv4.address==<server-ip>
![](images/tcp-ts-24.png)
![Screenshot of Network Monitor with filter applied](images/tcp-ts-24.png)
This should help you verify the connectivity and isolate if any network issues are seen.
@ -175,13 +175,13 @@ This should help you verify the connectivity and isolate if any network issues a
The most common reason why we would see the RPC server unavailable is when the dynamic port that the client tries to connect is not reachable. The client side trace would then show TCP SYN retransmits for the dynamic port.
![](images/tcp-ts-25.png)
![Screenshot of Network Monitor with TCP SYN retransmits](images/tcp-ts-25.png)
The port cannot be reachable due to one of the following reasons:
- The dynamic port range is blocked on the firewall in the environment.
- A middle device is dropping the packets.
- The destination server is dropping the packets (WFP drop / NIC drop/ Filter driver etc)
- The destination server is dropping the packets (WFP drop / NIC drop/ Filter driver etc).

19
windows/client-management/troubleshoot-windows-startup.md Normal file
View File

@ -0,0 +1,19 @@
---
title: Advanced troubleshooting for Windows start-up issues
description: Learn how to troubleshoot Windows start-up issues.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
author: kaushika-msft
ms.localizationpriority: medium
ms.author: kaushika
ms.date:
---
# Advanced troubleshooting for Windows start-up issues
In these topics, you will learn how to troubleshoot common problems related to Windows start-up.
- [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
- [Advanced troubleshooting for Stop error or blue screen error](troubleshoot-stop-errors.md)
- [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md)

6
windows/configuration/kiosk-methods.md
View File

@ -16,7 +16,7 @@ Some desktop devices in an enterprise serve a special purpose, such as a PC in t
| | |
--- | ---
| **A single-app kiosk**, which runs a single Universal Windows Platform (UWP) app in fullscreen above the lockscreen. People using the kiosk can see only that app.<br><br>When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart.<br><br>A single-app kiosk is ideal for public use.<br><br>(Using [ShellLauncher WMI](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen.) | ![Illustration of a full-screen kiosk experience](images/kiosk-fullscreen.png)
| **A single-app kiosk**, which runs a single Universal Windows Platform (UWP) app in fullscreen above the lockscreen. People using the kiosk can see only that app.<br><br>When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart.<br><br>A single-app kiosk is ideal for public use.<br><br>(Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen.) | ![Illustration of a full-screen kiosk experience](images/kiosk-fullscreen.png)
| **A multi-app kiosk**, which runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types.<br><br>A multi-app kiosk is appropriate for devices that are shared by multiple people.<br><br>When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that will affect **all** non-administrator users on the device. | ![Illustration of a kiosk Start screen](images/kiosk-desktop.png)
Kiosk configurations are based on **Assigned Access**, a feature in Windows 10 that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user.
@ -47,7 +47,7 @@ You can use this method | For this edition | For this kiosk account type
You can use this method | For this edition | For this kiosk account type
--- | --- | ---
[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Azure AD
[ShellLauncher WMI](kiosk-shelllauncher.md) | Ent, Edu | Local standard user, Active Directory, Azure AD
[Shell Launcher](kiosk-shelllauncher.md) | Ent, Edu | Local standard user, Active Directory, Azure AD
[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD
<span id="desktop" />
@ -68,7 +68,7 @@ Method | App type | Account type | Single-app kiosk | Multi-app kiosk
[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X |
[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X | X
Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Azure AD | X | X
[ShellLauncher WMI](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | X |
[Shell Launcher](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | X |
[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | | X

2
windows/configuration/kiosk-prepare.md
View File

@ -28,7 +28,7 @@ For a more secure kiosk experience, we recommend that you make the following con
Recommendation | How to
--- | ---
Hide update notifications<br>(New in Windows 10, version 1809) | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**<br>-or-<br>Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)<br>-or-<br>Add the following registry keys as DWORD (32-bit) type:</br>`HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\UpdateNotificationLevel` with a value of `1`, and `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetUpdateNotificationLevel` with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings.
Hide update notifications<br>(New in Windows 10, version 1809) | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**<br>-or-<br>Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)<br>-or-<br>Add the following registry keys as DWORD (32-bit) type:</br>`HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetUpdateNotificationLevel` with a value of `1`, and `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\UpdateNotificationLevel` with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings.
Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:</br></br>`HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled`
Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** &gt; **System** &gt; **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign.
Hide **Ease of access** feature on the sign-in screen. | See [how to disable the Ease of Access button in the registry.](https://docs.microsoft.com/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen)

2
windows/configuration/lockdown-features-windows-10.md
View File

@ -38,7 +38,7 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be
<tbody>
<tr class="odd">
<td align="left"><p>[Hibernate Once/Resume Many (HORM)](https://go.microsoft.com/fwlink/p/?LinkId=626758): Quick boot to device</p></td>
<td align="left">N/A</td>
<td align="left">[HORM](https://docs.microsoft.com/windows-hardware/customize/enterprise/hibernate-once-resume-many-horm-)</td>
<td align="left"><p>HORM is supported in Windows 10, version 1607 and later. </p></td>
</tr>
<tr class="even">

2
windows/configuration/set-up-shared-or-guest-pc.md
View File

@ -89,7 +89,7 @@ You can configure Windows to be in shared PC mode in a couple different ways:
![Shared PC settings in ICD](images/icd-adv-shared-pc.png)
- WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the [MDM_SharedPC class](https://msdn.microsoft.com/library/windows/desktop/mt779129.aspx). For example, open PowerShell as an administrator and enter the following:
- WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the [MDM_SharedPC class](https://msdn.microsoft.com/library/windows/desktop/mt779129.aspx). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following:
```
$sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC"

9
windows/deployment/deploy-whats-new.md
View File

@ -7,7 +7,7 @@ ms.localizationpriority: medium
ms.prod: w10
ms.sitesec: library
ms.pagetype: deploy
ms.date: 11/06/2018
ms.date: 12/07/2018
author: greg-lindsay
---
@ -16,7 +16,6 @@ author: greg-lindsay
**Applies to**
- Windows 10
## In this topic
This topic provides an overview of new solutions and online content related to deploying Windows 10 in your organization.
@ -34,6 +33,12 @@ Microsoft is [extending support](https://www.microsoft.com/microsoft-365/blog/20
![Support lifecycle](images/support-cycle.png)
## Windows 10 servicing and support
Microsoft is [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. This includes all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months (there is no change for these editions). These support policies are summarized in the table below.
![Support lifecycle](images/support-cycle.png)
## Windows 10 Enterprise upgrade
Windows 10 version 1703 includes a Windows 10 Enterprise E3 and E5 benefit to Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA). These customers can now subscribe users to Windows 10 Enterprise E3 or E5 and activate their subscriptions on up to five devices. Virtual machines can also be activated. For more information, see [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md).

2
windows/deployment/index.yml
View File

@ -60,7 +60,7 @@ sections:
Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment.
<br>&nbsp;<br>
<table border='0'><tr><td>Topic</td><td>Description</td></tr>
<tr><td>[Overview of Windows Autopilot](windows-autopilot/windows-10-autopilot.md) </td><td>Windows Autopilot deployment is a new cloud service from Microsoft that provides a zero touch experience for deploying Windows 10 devices. </td>
<tr><td>[Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) </td><td>Windows Autopilot deployment is a new cloud service from Microsoft that provides a zero touch experience for deploying Windows 10 devices. </td>
<tr><td>[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) </td><td>This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. </td>
<tr><td>[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) </td><td>This topic provides information about support for upgrading from one edition of Windows 10 to another. </td>
<tr><td>[Windows 10 volume license media](windows-10-media.md) </td><td>This topic provides information about media available in the Microsoft Volume Licensing Service Center. </td>

11
windows/deployment/update/windows-analytics-privacy.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.date: 07/02/2018
ms.date: 12/11/2018
ms.localizationpriority: high
---
@ -17,7 +17,7 @@ ms.localizationpriority: high
Windows Analytics is fully committed to privacy, centering on these tenets:
- **Transparency:** We fully document the Windows Analytics diagnostic events (see the links for additional information) so you can review them with your companys security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) for details).
- **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics
- **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10, version 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics
- **Security:** Your data is protected with strong security and encryption
- **Trust:** Windows Analytics supports the Microsoft Online Service Terms
@ -39,8 +39,11 @@ See these topics for additional background information about related privacy iss
- [Windows 10 and the GDPR for IT Decision Makers](https://docs.microsoft.com/windows/privacy/gdpr-it-guidance)
- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
- [Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events, and Fields](https://go.microsoft.com/fwlink/?LinkID=822965) (link downloads a PDF file)
- [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703)
- [Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events, and Fields](https://go.microsoft.com/fwlink/?LinkID=822965)
- [Windows 10, version 1809 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809)
- [Windows 10, version 1803 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803)
- [Windows 10, version 1709 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709)
- [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703)
- [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields)
- [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview)
- [Licensing Terms and Documentation](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31)

291
windows/deployment/upgrade/upgrade-readiness-deployment-script.md
View File

@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.date: 10/29/2018
ms.date: 12/12/2018
---
# Upgrade Readiness deployment script
@ -83,232 +83,69 @@ To run the Upgrade Readiness deployment script:
The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
<div font-size='5pt;'>
<table border='1' cellspacing='0' cellpadding='0' width="100%">
<tr>
<td BGCOLOR="#a0e4fa">Exit code and meaning</td>
<td BGCOLOR="#a0e4fa">Suggested fix</td>
</tr>
<tr><td>0 - Success</td>
<td>N/A</td>
</tr>
<tr>
<td>1 - Unexpected error occurred while executing the script.</td>
<td> The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again.</td>
</tr>
<tr>
<td>2 - Error when logging to console. $logMode = 0.<BR>(console only)</td>
<td>Try changing the $logMode value to **1** and try again.<BR>$logMode value 1 logs to both console and file.</td>
</tr>
<tr>
<td>3 - Error when logging to console and file. $logMode = 1.</td>
<td>Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.</td>
</tr>
<tr>
<td>4 - Error when logging to file. $logMode = 2.</td>
<td>Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.</td>
</tr>
<tr>
<td>5 - Error when logging to console and file. $logMode = unknown.</td>
<td>Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.</td>
</tr>
<tr>
<td>6 - The commercialID parameter is set to unknown. <BR>Modify the runConfig.bat file to set the CommercialID value.</td>
<td>The value for parameter in the runconfig.bat file should match the Commercial ID key for your workspace.
<BR>See [Generate your Commercial ID key](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#generate-your-commercial-id-key) for instructions on generating a Commercial ID key for your workspace.</td>
</tr>
<tr>
<td>8 - Failure to create registry key path: <font size='1'>**HKLM:\SOFTWARE\Microsoft\Windows
\CurrentVersion\Policies\DataCollection**</font></td>
<td>The Commercial Id property is set at the following registry key path: <font size='1'>**HKLM:\SOFTWARE\Microsoft\Windows
\CurrentVersion\Policies\DataCollection**</font>
<BR>Verify that the context under which the script in running has access to the registry key.</td>
</tr>
<tr>
<td>9 - The script failed to write Commercial Id to registry.
<BR>Error creating or updating registry key: **CommercialId** at <font size='1'>**HKLM:\SOFTWARE\Microsoft\Windows
\CurrentVersion\Policies\DataCollection**</font>
</td>
<td>Verify that the context under which the script in running has access to the registry key.</td>
</tr>
<tr>
<td>10 - Error when writing **CommercialDataOptIn** to the registry at <font size='1'>**HKLM:\SOFTWARE\Microsoft\Windows
\CurrentVersion\Policies\DataCollection**</font></td>
<td>Verify that the deployment script is running in a context that has access to the registry key.</td>
</tr>
<tr>
<td>11 - Function **SetupCommercialId** failed with an unexpected exception.</td>
<td>The **SetupCommercialId** function updates the Commercial Id at the registry key path: <font size='1'>**HKLM:\SOFTWARE\Microsoft\Windows
\CurrentVersion\Policies\DataCollection**</font> <BR>Verify that the configuration script has access to this location.</td>
</tr>
<tr>
<td>12 - Cant connect to Microsoft - Vortex. Check your network/proxy settings.</td>
<td>**Http Get** on the end points did not return a success exit code.<BR>
For Windows 10, connectivity is verified by connecting to https://v10.vortex-win.data.microsoft.com/health/keepalive.<BR>
For previous operating systems, connectivity is verified by connecting to https://vortex-win.data.microsoft.com/health/keepalive.
<BR>If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md)
<tr>
<td>13 - Cant connect to Microsoft - setting. </td>
<td>An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Verify that the required endpoints are whitelisted correctly. See Whitelist select endpoints for more details.
14 </td>
</tr>
<tr>
<td>14 - Cant connect to Microsoft - compatexchange.</td>
<td>An error occurred connecting to [CompatibilityExchangeService.svc](https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc). This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md).</td>
</tr>
<tr>
<td>15 - Function CheckVortexConnectivity failed with an unexpected exception.</td>
<td>This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). Check the logs for the exception message and the HResult.</td>
</tr>
<tr>
<td>16 - The computer requires a reboot before running the script.</td>
<td>A reboot is required to complete the installation of the compatibility update and related KBs. Reboot the computer before running the Upgrade Readiness deployment script.</td>
</tr>
<tr>
<td>17 - Function **CheckRebootRequired** failed with an unexpected exception.</td>
<td>A reboot is required to complete installation of the compatibility update and related KBs. Check the logs for the exception message and the HResult.</td>
</tr>
<tr>
<td>18 - Appraiser KBs not installed or **appraiser.dll** not found.</td>
<td>Either the Appraiser KBs are not installed, or the **appraiser.dll** file was not found. For more information, see appraiser diagnostic data events and fields information in the [Data collection](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#data-collection-and-privacy) and privacy topic.</td>
</tr>
<tr>
<td>19 - Function **CheckAppraiserKB**, which checks the compatibility update KBs, failed with unexpected exception.</td>
<td>Check the logs for the Exception message and HResult. The script will not run further if this error is not fixed.</td>
</tr>
<tr>
<td>20 - An error occurred when creating or updating the registry key **RequestAllAppraiserVersions** at <font size='1'>**HKLM:\SOFTWARE\Microsoft\WindowsNT
\CurrentVersion\AppCompatFlags\Appraiser**</font> </td>
<td>The registry key is required for data collection to work correctly. Verify that the script is running in a context that has access to the registry key. </td>
</tr>
<tr>
<td>21 - Function **SetRequestAllAppraiserVersions** failed with an unexpected exception.</td>
<td>Check the logs for the exception message and HResult.</td>
</tr>
<tr>
<td>22 - **RunAppraiser** failed with unexpected exception.</td>
<td>Check the logs for the exception message and HResult. Check the **%windir%\System32** directory for the file **CompatTelRunner.exe**. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization's Group Policy to verify it does not remove this file.</td>
</tr>
<tr>
<td>23 - Error finding system variable **%WINDIR%**.</td>
<td>Verify that this environment variable is configured on the computer.</td>
</tr>
<tr>
<td>24 - The script failed when writing **IEDataOptIn** to the registry. An error occurred when creating registry key **IEOptInLevel** at <font size='1'>**HKLM:\SOFTWARE\Microsoft\Windows
\CurrentVersion\Policies\DataCollection**</font></td>
<td>This is a required registry key for IE data collection to work correctly. Verify that the deployment script in running in a context that has access to the registry key. Check the logs for the exception message and HResult.</td>
</tr>
<tr>
<td>25 - The function **SetIEDataOptIn** failed with unexpected exception.</td>
<td>Check the logs for the exception message and HResult.</td>
</tr>
<tr>
<td>27 - The script is not running under **System** account.</td>
<td>The Upgrade Readiness configuration script must be run as **System**. </td>
</tr>
<tr>
<td>28 - Could not create log file at the specified **logPath**.</td>
<td> Make sure the deployment script has access to the location specified in the **logPath** parameter.</td>
</tr>
<tr>
<td>29 - Connectivity check failed for proxy authentication. </td>
<td>Instal cumulative updates on the computer and enable the **DisableEnterpriseAuthProxy** authentication proxy setting.
<BR>The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7.
<BR>For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled).
<BR>For more information on authentication proxy support, see [Authentication proxy support added in new version (12.28.16) of the Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?linkid=838688).</td>
</tr>
<tr>
<td>30 - Connectivity check failed. Registry key property **DisableEnterpriseAuthProxy** is not enabled.</td>
<td>The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7.
<BR>For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled).
<BR>For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).</td>
</tr>
<tr>
<td>31 - There is more than one instance of the Upgrade Readiness data collector running at the same time on this computer. </td>
<td>Use the Windows Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script. The Upgrade Readiness task is scheduled to run daily at 3 a.m.</td>
</tr>
<tr>
<td>32 - Appraiser version on the machine is outdated. </td>
<td>The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#deploy-the-compatibility-update-and-related-updates) for Windows 7 SP1/Windows 8.1.</td>
</tr>
<tr>
<td>33 - **CompatTelRunner.exe** exited with an exit code </td>
<td>**CompatTelRunner.exe** runs the appraise task on the machine. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Check the logs for more details. Also see the **Note** following this table for additional steps to follow.</td>
</tr>
<tr>
<td>34 - Function **CheckProxySettings** failed with an unexpected exception. </td>
<td>Check the logs for the exception message and HResult.></td>
</tr>
<tr>
<td>35 - Function **CheckAuthProxy** failed with an unexpected exception.</td>
<td>Check the logs for the exception message and HResult.</td>
</tr>
<tr>
<td>36 - Function **CheckAppraiserEndPointsConnectivity** failed with an unexpected exception.</td>
<td>Check the logs for the exception message and HResult.</td>
</tr>
<tr>
<td>37 - **Diagnose_internal.cmd** failed with an unexpected exception.</td>
<td>Check the logs for the exception message and HResult.</td>
</tr>
<tr>
<td>38 - Function **Get-SqmID** failed with an unexpected exception. </td>
<td>Check the logs for the exception message and HResult.</td>
</tr>
<tr>
<td>39 - For Windows 10: AllowTelemetry property is not set to 1 or higher at registry key path <font size='1'>**HKLM:\SOFTWARE\Policies\Microsoft
\Windows\DataCollection**</font>
or <font size='1'>**HKLM:\SOFTWARE\Microsoft\Windows
\CurrentVersion\Policies\DataCollection**</font></td>
<td>For Windows 10 machines, the **AllowTelemetry** property should be set to 1 or greater to enable data collection. The script will throw an error if this is not true. For more information, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization).</td>
</tr>
<tr>
<td>40 - Function **CheckTelemetryOptIn** failed with an unexpected exception. </td>
<td>Check the logs for the exception message and HResult.</td>
</tr>
<tr>
<td>41 - The script failed to impersonate the currently logged on user. </td>
<td>The script mimics the UTC client to collect upgrade readiness data. When auth proxy is set, the UTC client impersonates the logged on user. The script also tries to mimic this, but the process failed.</td>
</tr>
<tr>
<td>42 - Function **StartImpersonatingLoggedOnUser** failed with an unexpected exception. </td>
<td>Check the logs for the exception message and HResult.</td>
</tr>
<tr>
<td>43 - Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception.</td>
<td>Check the logs for the exception message and HResult.</td>
</tr>
<tr>
<td>44 - Diagtrack.dll version is old, so Auth Proxy will not work.</td>
<td>Update the PC using Windows Update/Windows Server Update Services.</td>
</tr>
<tr>
<td>45 - Diagrack.dll was not found.</td>
<td>Update the PC using Windows Update/Windows Server Update Services.</td>
</tr>
<tr>
<td>48 - **CommercialID** mentioned in RunConfig.bat should be a GUID.</td>
<td>**CommercialID** is mentioned in RunConfig.bat, but it is not a GUID. Copy the commercialID from your workspace. To find the commercialID, in the OMS portal click **Upgrade Readiness > Settings**.</td>
</tr>
<tr>
<td>50 - Diagtrack Service is not running.</td>
<td>Diagtrack Service is required to send data to Microsoft. Enable and run the 'Connected User Experiences and Telemetry' service. </td>
</tr>
<tr>
<td>51 - RunCensus failed with an unexpected exception.</td>
<td>RunCensus explitly runs the process used to collect device information. The method failed with an unexpected exception. Check the ExceptionHResult and ExceptionMessage for more details. </td>
</tr>
<tr>
<td>52 - DeviceCensus.exe not found on a Windows 10 machine.</td>
<td>On computers running Windows 10, the process devicecensus.exe should be present in the <windows directory>\system32 folder. Error code 52 is returned if the process was not found. Ensure that it exists at the specified location. </td>
</tr>
<tr>
<td>53 - There is a different CommercialID present at the GPO path:  <font size="1">**HKLM:\SOFTWARE\Policies\Microsoft
\Windows\DataCollection**</font>. This will take precedence over the CommercialID provided in the script.</td>
<td>Provide the correct CommercialID at the GPO location. </td>
</tr>
</table>
</div>
| Exit code | Suggested fix |
|-----------|--------------|
| 0 - Success | N/A |
| 1 - Unexpected error occurred while executing the script. | The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again. |
| 2 - Error when logging to console. $logMode = 0. (console only) | Try changing the $logMode value to **1** and try again. $logMode value 1 logs to both console and file. |
| 3 - Error when logging to console and file. $logMode = 1. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. |
| 4 - Error when logging to file. $logMode = 2. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. |
| 5 - Error when logging to console and file. $logMode = unknown. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. |
| 6 - The commercialID parameter is set to unknown. | Modify the runConfig.bat file to set the CommercialID value. The value for parameter in the runconfig.bat file should match the Commercial ID key for your workspace. See [Generate your Commercial ID key](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#generate-your-commercial-id-key) for instructions on generating a Commercial ID key for your workspace. |
| 8 - Failure to create registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection**. The Commercial Id property is set at the following registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the context under which the script in running has access to the registry key. |
| 9 - The script failed to write Commercial Id to registry.
Error creating or updating registry key: **CommercialId** at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the context under which the script in running has access to the registry key. |
| 10 - Error when writing **CommercialDataOptIn** to the registry at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the deployment script is running in a context that has access to the registry key. |
| 11 - Function **SetupCommercialId** failed with an unexpected exception. The **SetupCommercialId** function updates the Commercial Id at the registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the configuration script has access to this location. |
| 12 - Cant connect to Microsoft - Vortex. Check your network/proxy settings. | **Http Get** on the end points did not return a success exit code. For Windows 10, connectivity is verified by connecting to https://v10.vortex-win.data.microsoft.com/health/keepalive. For previous operating systems, connectivity is verified by connecting to https://vortex-win.data.microsoft.com/health/keepalive. If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md) |
| 13 - Cant connect to Microsoft - setting. | An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Verify that the required endpoints are whitelisted correctly. See Whitelist select endpoints for more details. |
| 14 - Cant connect to Microsoft - compatexchange. An error occurred connecting to [CompatibilityExchangeService.svc](https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc). | This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). |
| 15 - Function CheckVortexConnectivity failed with an unexpected exception. | This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). Check the logs for the exception message and the HResult. |
| 16 - The computer requires a reboot before running the script. | Restart the device to complete the installation of the compatibility update and related updates. Reboot the computer before running the Upgrade Readiness deployment script. |
| 17 - Function **CheckRebootRequired** failed with an unexpected exception. | Restart the device to complete installation of the compatibility update and related updates. Check the logs for the exception message and the HResult. |
|18 - Appraiser KBs not installed or **appraiser.dll** not found. | Either the Appraiser-related updates are not installed, or the **appraiser.dll** file was not found. For more information, see appraiser diagnostic data events and fields information in the [Data collection](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#data-collection-and-privacy) and privacy topic. |
| 19 - Function **CheckAppraiserKB**, which checks the compatibility update KBs, failed with unexpected exception. | Check the logs for the Exception message and HResult. The script will not run further if this error is not fixed. |
| 20 - An error occurred when creating or updating the registry key **RequestAllAppraiserVersions** at **HKLM:\SOFTWARE\Microsoft\WindowsNT \CurrentVersion\AppCompatFlags\Appraiser** | The registry key is required for data collection to work correctly. Verify that the script is running in a context that has access to the registry key. |
| 21 - Function **SetRequestAllAppraiserVersions** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
| 22 - **RunAppraiser** failed with unexpected exception. | Check the logs for the exception message and HResult. Check the **%windir%\System32** directory for the file **CompatTelRunner.exe**. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization's Group Policy to verify it does not remove this file. |
| 23 - Error finding system variable **%WINDIR%**. | Verify that this environment variable is configured on the computer. |
| 24 - The script failed when writing **IEDataOptIn** to the registry. An error occurred when creating registry key **IEOptInLevel** at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | This is a required registry key for IE data collection to work correctly. Verify that the deployment script in running in a context that has access to the registry key. Check the logs for the exception message and HResult. |
| 25 - The function **SetIEDataOptIn** failed with unexpected exception. | Check the logs for the exception message and HResult. |
| 27 - The script is not running under **System** account. | The Upgrade Readiness configuration script must be run as **System**. |
| 28 - Could not create log file at the specified **logPath**. | Make sure the deployment script has access to the location specified in the **logPath** parameter. |
| 29 - Connectivity check failed for proxy authentication. | Install cumulative updates on the device and enable the **DisableEnterpriseAuthProxy** authentication proxy setting. The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7\. For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). For more information on authentication proxy support, see [Authentication proxy support added in new version (12.28.16) of the Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?linkid=838688). |
| 30 - Connectivity check failed. Registry key property **DisableEnterpriseAuthProxy** is not enabled. | The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7\. For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688). |
| 31 - There is more than one instance of the Upgrade Readiness data collector running at the same time on this computer. Use Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script. The Upgrade Readiness task is scheduled by default to run daily at 0300. |
| 32 - Appraiser version on the machine is outdated. | The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#deploy-the-compatibility-update-and-related-updates) for Windows 7 SP1/Windows 8.1. |
| 33 - **CompatTelRunner.exe** exited with an exit code | **CompatTelRunner.exe** runs the appraise task on the device. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Check the logs for more details. Also see the **Note** following this table for additional steps to follow. |
| 34 - Function **CheckProxySettings** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
| 35 - Function **CheckAuthProxy** failed with an unexpected exception. Check the logs for the exception message and HResult. |
| 36 - Function **CheckAppraiserEndPointsConnectivity** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
| 37 - **Diagnose_internal.cmd** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
| 38 - Function **Get-SqmID** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
| 39 - For Windows 10: AllowTelemetry property is not set to 1 or higher at registry key path **HKLM:\SOFTWARE\Policies\Microsoft \Windows\DataCollection** or **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | For Windows 10 devices, the **AllowTelemetry** property should be set to 1 or greater to enable data collection. The script will return an error if this is not true. For more information, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization). |
| 40 - Function **CheckTelemetryOptIn** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
| 41 - The script failed to impersonate the currently logged on user. | The script mimics the UTC client to collect upgrade readiness data. When auth proxy is set, the UTC client impersonates the user that is logged on. The script also tries to mimic this, but the process failed. |
| 42 - Function **StartImpersonatingLoggedOnUser** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
| 43 - Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
| 44 - Diagtrack.dll version is old, so Auth Proxy will not work. | Update the device using Windows Update or Windows Server Update Services. |
| 45 - Diagrack.dll was not found. | Update the device using Windows Update or Windows Server Update Services. |
| 48 - **CommercialID** mentioned in RunConfig.bat should be a GUID. | Copy the commercialID from your workspace. To find the commercialID, in the OMS portal click **Upgrade Readiness > Settings**. |
| 50 - Diagtrack Service is not running. | The Diagtrack service is required to send data to Microsoft. Enable and run the "Connected User Experiences and Telemetry" service. |
| 51 - RunCensus failed with an unexpected exception. | RunCensus explitly runs the process used to collect device information. The method failed with an unexpected exception. Check the ExceptionHResult and ExceptionMessage for more details. |
| 52 - DeviceCensus.exe not found on a Windows 10 machine. | On computers running Windows 10, the process devicecensus.exe should be present in the \system32 directory. Error code 52 is returned if the process was not found. Ensure that it exists at the specified location. |
| 53 - There is a different CommercialID present at the GPO path: **HKLM:\SOFTWARE\Policies\Microsoft \Windows\DataCollection**. This will take precedence over the CommercialID provided in the script. | Provide the correct CommercialID at the GPO location. |
| 54 - Microsoft Account Sign In Assistant Service is Disabled. | This service is required for devices running Windows 10. The diagnostic data client relies on the Microsoft Account Sign In Assistant (MSA) to get the Global Device ID for the device. Without the MSA service running, the global device ID will not be generated and sent by the client. |
| 55 - SetDeviceNameOptIn function failed to create registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | The function SetDeviceNameOptIn sets the registry key value which determines whether to send the device name in diagnostic data. The function tries to create the registry key path if it does not already exist. Verify that the account has the correct permissions to change or add registry keys. |
| 56 - SetDeviceNameOptIn function failed to create property AllowDeviceNameInTelemetry at registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | Verify that the account has the correct permissions to change or add registry keys.|
| 57 - SetDeviceNameOptIn function failed to update AllowDeviceNameInTelemetry property to value 1 at registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | Verify that the account has the correct permissions to change or add registry keys. |
| 58 - SetDeviceNameOptIn function failed with unexpected exception | The function SetDeviceNameOptIn failed with an unexpected exception. |
| 59 - CleanupOneSettings failed to delete LastPersistedEventTimeOrFirstBoot property at registry key path: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Diagtrack** |The CleanupOneSettings function clears some of the cached values needed by the Appraiser which is the data collector on the monitored device. This helps in the download of the most recent for accurate running of the data collector. Verify that the account has the correct permissions to change or add registry keys. |
| 60 - CleanupOneSettings failed to delete registry key: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ Diagnostics\Diagtrack\SettingsRequests** | Verify that the account has the correct permissions to change or add registry keys. |
| 61 - CleanupOneSettings failed with an exception | CleanupOneSettings failed with an unexpected exception. |
>[!NOTE]

23
windows/deployment/volume-activation/active-directory-based-activation-overview.md
View File

@ -7,18 +7,29 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
author: greg-lindsay
ms.date: 04/19/2017
ms.date: 12/07/2018
---
# Active Directory-Based Activation Overview
# Active Directory-Based Activation overview
Active Directory-Based Activation (ADBA) enables enterprises to activate computers through a connection to their domain. Many companies have computers at offsite locations that use products that are registered to the company. Previously these computers needed to either use a retail key or a Multiple Activation Key (MAK), or physically connect to the network in order to activate their products by using Key Management Services (KMS). ADBA provides a way to activate these products if the computers can join the companys domain. When the user joins their computer to the domain, the ADBA object automatically activates Windows installed on their computer, as long as the computer has a Generic Volume License Key (GVLK) installed. No single physical computer is required to act as the activation object, because it is distributed throughout the domain.
## Active Directory-Based Activation Scenarios
## ADBA scenarios
VAMT enables IT Professionals to manage and activate the Active Directory-Based Activation object. Activation can be performed by using a scenario such as the following:
- Online activation: To activate an ADBA forest online, the user selects the **Online activate forest** function, selects a KMS Host key (CSVLK) to use, and gives the Active Directory-Based Activation Object a name.
- Proxy activation: For a proxy activation, the user first selects the **Proxy activate forest** function, selects a KMS Host key (CSVLK) to use, gives the Active Directory-Based Activation Object a name, and provides a file name to save the CILx file that contains the Installation ID. Next, the user takes that file to a computer that is running VAMT with an Internet connection and then selects the **Acquire confirmation IDs for CILX** function on the VAMT landing page, and provides the original CILx file. When VAMT has loaded the Confirmation IDs into the original CILx file, the user takes this file back to the original VAMT instance, where the user completes the proxy activation process by selecting the **Apply confirmation ID to Active Directory domain** function.
You might use ADBA if you only want to activate domain joined devices.
If you have a server hosting the KMS service, it can be necessary to reactivate licenses if the server is replaced with a new host. This is not necessary When ADBA is used.
ADBA can also make load balancing easier when multiple KMS servers are present since the client can connect to any domain controller. This is simpler than using the DNS service to load balance by configuring priority and weight values.
Some VDI solutions also require that new clients activate during creation before they are added to the pool. In this scenario, ADBA can eliminate potential VDI issues that might arise due to a KMS outage.
## ADBA methods
VAMT enables IT Professionals to manage and activate the ADBA object. Activation can be performed using the following methods:
- Online activation: To activate an ADBA forest online, the user selects the **Online activate forest** function, selects a KMS Host key (CSVLK) to use, and gives the ADBA Object a name.
- Proxy activation: For a proxy activation, the user first selects the **Proxy activate forest** function, selects a KMS Host key (CSVLK) to use, gives the ADBA Object a name, and provides a file name to save the CILx file that contains the Installation ID. Next, the user takes that file to a computer that is running VAMT with an Internet connection and then selects the **Acquire confirmation IDs for CILX** function on the VAMT landing page, and provides the original CILx file. When VAMT has loaded the Confirmation IDs into the original CILx file, the user takes this file back to the original VAMT instance, where the user completes the proxy activation process by selecting the **Apply confirmation ID to Active Directory domain** function.
## Related topics

4
windows/deployment/windows-autopilot/TOC.md
View File

@ -1,16 +1,15 @@
# [Windows Autopilot](windows-autopilot.md)
## [Requirements](windows-autopilot-requirements.md)
### [Configuration requirements](windows-autopilot-requirements-configuration.md)
#### [Intune Connector (preview)](intune-connector.md)
### [Network requirements](windows-autopilot-requirements-network.md)
### [Licensing requirements](windows-autopilot-requirements-licensing.md)
### [Intune Connector (preview)](intune-connector.md)
## [Scenarios and Capabilities](windows-autopilot-scenarios.md)
### [Support for existing devices](existing-devices.md)
### [User-driven mode](user-driven.md)
#### [Azure Active Directory joined](user-driven-aad.md)
#### [Hybrid Azure Active Directory joined](user-driven-hybrid.md)
### [Self-deploying mode](self-deploying.md)
### [Enrollment status page](enrollment-status.md)
### [Windows Autopilot Reset](windows-autopilot-reset.md)
#### [Remote reset](windows-autopilot-reset-remote.md)
#### [Local reset](windows-autopilot-reset-local.md)
@ -18,6 +17,7 @@
### [Configuring](configure-autopilot.md)
#### [Adding devices](add-devices.md)
#### [Creating profiles](profiles.md)
#### [Enrollment status page](enrollment-status.md)
### [Administering Autopilot via Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
### [Administering Autopilot via Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
### [Administering Autopilot via Microsoft 365 Business & Office 365 Admin portal](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)

40
windows/deployment/windows-autopilot/add-devices.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greg-lindsay
ms.date: 10/02/2018
ms.date: 12/12/2018
---
# Adding devices to Windows Autopilot
@ -20,6 +20,20 @@ ms.date: 10/02/2018
Before deploying a device using Windows Autopilot, the device must be registered with the Windows Autopilot deployment service. Ideally, this would be performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually.
## Manual registration
To perform manual registration of a device, you must caputure its hardware ID (also known as a hardware hash) and upload this to the Windows Autopilot deployment service. See the topics below for detailed information on how to collect and upload hardware IDs.
>[!IMPORTANT]
>Do not connect devices to the Internet prior to capturing the hardware ID and creating an Autopilot device profile. This includes collecting the hardware ID, uploading the .CSV into MSfB or Intune, assigning the profile, and confirming the profile assignment. Connecting the device to the Internet before this process is complete will result in the device downloading a blank profile that is stored on the device until it is explicity removed. In Windows 10 version 1809, you can clear the cached profile by restarting OOBE. In previous versions, the only way to clear the stored profile is to re-install the OS, reimage the PC, or run **sysprep /generalize /oobe**. <br>
>After Intune reports the profile ready to go, only then should the device be connected to the Internet.
Also note that if OOBE is restarted too many times it can enter a recovery mode and fail to run the Autopilot configuration. You can identify this scenario if OOBE displays multiple configuration options on the same page, including language, region, and keyboard layout. The normal OOBE displays each of these on a separate page. The following value key tracks the count of OOBE retries:
**HKCU\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UserOOBE**
To ensure OOBE has not been restarted too many times, you can change this value to 1.
## Device identification
To define a device to the Windows Autopilot deployment service, a unique hardware ID for the device needs to be captured and uploaded to the service. While this step is ideally done by the hardware vendor (OEM, reseller, or distributor), automatically associating the device with an organization, it is also possible to do this through a harvesting process that collects the device from within a running Windows 10 version 1703 or later installation.
@ -32,28 +46,26 @@ Note that the hardware hash also contains details about when it was generated, s
The hardware ID, or hardware hash, for an existing device is available through Windows Management Instrumentation (WMI), as long as that device is running Windows 10 version 1703 or later. To help gather this information, as well as the serial number of the device (useful to see at a glance the machine to which it belongs), a PowerShell script called [Get-WindowsAutoPilotInfo.ps1 has been published to the PowerShell Gallery website](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo).
To use this script, you can download it from the PowerShell Gallery and run it on each computer, or you can install it directly from the PowerShell Gallery. To install it directly and capture the hardware hash from the local computer, these commands can be used:
To use this script, you can download it from the PowerShell Gallery and run it on each computer, or you can install it directly from the PowerShell Gallery. To install it directly and capture the hardware hash from the local computer, use the following commands from an elevated Windows PowerShell prompt:
*md c:\\HWID*
```powershell
md c:\\HWID
Set-Location c:\\HWID
Set-ExecutionPolicy Unrestricted
Install-Script -Name Get-WindowsAutoPilotInfo
Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv
```
*Set-Location c:\\HWID*
*Set-ExecutionPolicy Unrestricted*
*Install-Script -Name Get-WindowsAutoPilotInfo*
*Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv*
You must run this PowerShell script with administrator privileges (elevated). It can also be run remotely, as long as WMI permissions are in place and WMI is accessible through the Windows Firewall on that remote computer. See the Get-WindowsAutoPilotInfo scripts help (using “Get-Help Get-WindowsAutoPilotInfo.ps1”) for more information.
The commands can also be run remotely, as long as WMI permissions are in place and WMI is accessible through the Windows Firewall on that remote computer. See the Get-WindowsAutoPilotInfo scripts help (using “Get-Help Get-WindowsAutoPilotInfo.ps1”) for more information about running the script.
>[!NOTE]
>With Windows 10 version 1803 and above, devices will download an Autopilot profile as soon as they connect to the internet. For devices that are not yet registered with the Autopilot deployment service, a profile will be downloaded that indicates the device should not be deployed using Autopilot. If the device connects to the internet as part of the collection process, you will need to reset the PC, reimage the PC, or re-generalize the OS (using sysprep /generalize /oobe).
>If you will connect to the device remotely to collect the hardware ID, see the information at the top of this page about device connectivity to the Internet.
## Collecting the hardware ID from existing devices using System Center Configuration Manager
Starting with System Center Configuration Manager current branch version 1802, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [Whats new in version 1802](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details.
## Uploading hardware IDs
## Registering devices
Once the hardware IDs have been captured from existing devices, they can be uploaded through a variety of means. See the detailed documentation for each available mechanism:

5
windows/deployment/windows-autopilot/configure-autopilot.md
View File

@ -26,7 +26,10 @@ When deploying new devices using Windows Autopilot, a common set of steps are re
2. [Assign a profile of settings to each device](profiles.md), specifying how the device should be deployed and what user experience should be presented.
3. Boot the device. When the device is connected to a network with internet access, it will contact the Windows Autopilot deployment service to see if the device is registered, and if it is, it will download the profile settings which are used to customize the end user experience.
3. Boot the device. When the device is connected to a network with internet access, it will contact the Windows Autopilot deployment service to see if the device is registered, and if it is, it will download profile settings such as the [Enrollment Status page](enrollment-status.md), which are used to customize the end user experience.
<img src="./images/image2.png" width="511" height="249" />
## Related topics
[Windows Autopilot scenarios](windows-autopilot-scenarios.md)

23
windows/deployment/windows-autopilot/enrollment-status.md
View File

@ -33,8 +33,12 @@ The Windows Autopilot Enrollment Status page displaying the status of the comple
<tr><td>Show error when installation takes longer than specified number of minutes<td colspan="2">Specify the number of minutes to wait for installation to complete. A default value of 60 minutes is entered.
<tr><td>Show custom message when an error occurs<td>A text box is provided where you can specify a custom message to display in case of an installation error.<td>The default message is displayed: <br><b>Oh no! Something didn't do what it was supposed to. Please contact your IT department.<b>
<tr><td>Allow users to collect logs about installation errors<td>If there is an installation error, a <b>Collect logs</b> button is displayed. <br>If the user clicks this button they are asked to choose a location to save the log file <b>MDMDiagReport.cab</b><td>The <b>Collect logs</b> button is not displayed if there is an installation error.
<tr><td>Block device use until these required apps are installed if they are assigned to the user/device<td colspan="2">Choose <b>All</b> or <b>Selected</b>. <br><br>If <b>Selected</b> is chosen, a <b>Select apps</b> button is displayed that enables you to choose which apps must be installed prior to enabling device use.
</table>
>[!NOTE]
>The setting to **block device use until required apps are installed** was added in December 2018. This setting is not available in existing profile that were created before this date. To use this setting, you must create a new profile.
See the following example:
![Enrollment status page settings](images/esp-settings.png)
@ -48,13 +52,20 @@ The Enrollment Status page tracks a subset of the available MDM CSP policies tha
- Enterprise desktop apps (single-file MSIs) installed by the [Enterprise Desktop App Management CSP](https://docs.microsoft.com/windows/client-management/mdm/enterprisedesktopappmanagement-csp).
- Certain device configuration policies.
Presently the following types of policies are not tracked:
The following types of policies and installations are not tracked:
- Intune Management Extensions PowerShell scripts.
- Office 365 ProPlus installations.
- System Center Configuration Manager apps, packages, and task sequences.
- Intune Management Extensions PowerShell scripts
- Office 365 ProPlus installations<sup>**</sup>
- System Center Configuration Manager apps, packages, and task sequences
## For more information
<sup>**</sup>The ability to track Office 365 ProPlus installations was added with Windows 10, version 1809.<br>
## More information
For more information on configuring the Enrollment Status page, see the [Microsoft Intune documentation](https://docs.microsoft.com/intune/windows-enrollment-status).<br>
For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP docuementation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).<br>
For more information about blocking for app installation:
- [Blocking for app installation using Enrollment Status Page](https://blogs.technet.microsoft.com/mniehaus/2018/12/06/blocking-for-app-installation-using-enrollment-status-page/).
- [Support Tip: Office C2R installation is now tracked during ESP](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Office-C2R-installation-is-now-tracked-during-ESP/ba-p/295514).
For more information on configuring the Enrollment Status page, [see the Microsoft Intune documentation](https://docs.microsoft.com/intune/windows-enrollment-status). For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP docuementation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).

BIN
windows/deployment/windows-autopilot/images/esp-settings.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 62 KiB

After

Width:  |  Height:  |  Size: 31 KiB

30
windows/deployment/windows-autopilot/profiles.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greg-lindsay
ms.date: 10/02/2018
ms.date: 12/13/2018
---
# Configure Autopilot profiles
@ -18,7 +18,29 @@ ms.date: 10/02/2018
- Windows 10
For each device that has been defined to the Windows Autopilot deployment service, a profile of settings needs to be applied to specify the exact behavior of that device when it is deployed. The following profile settings are available:
For each device that has been defined to the Windows Autopilot deployment service, a profile of settings needs to be applied that specifies the exact behavior of that device when it is deployed. For detailed procedures on how to configure profile settings and register devices, see [Registering devices](add-devices.md#registering-devices).
## Profile download
When an Internet-connected Windows 10 device boots up, it will attempt to connect to the Autopilot service and download an Autopilot profile. Note: It is important that a profile exists at this stage so that a blank profile is not cached locally on the PC. To remove the currently cached local profile in Windows 10 version 1803 and earlier, it is necessary to re-generalize the OS using **sysprep /generalize /oobe**, reinstall the OS, or re-image the PC. In Windows 10 version 1809 and later, you can retrieve a new profile by rebooting the PC.
When a profile is downloaded depends on the version of Windows 10 that is running on the PC. See the following table.
| Windows 10 version | Profile download behavior |
| --- | --- |
| 1703 and 1709 | The profile is downloaded after the OOBE network connection page. This page is not displayed when using a wired connection. In this case, the profile is downloaded just prior to the EULA screen. |
| 1803 | The profile is downloaded as soon as possible. If wired, it is downloaded at the start of OOBE. If wireless, it is downloaded after the network connection page. |
| 1809 | The profile is downloaded as soon as possible (same as 1803), and again after each reboot. |
If you need to reboot a computer during OOBE:
- Press Shift-F10 to open a command prompt.
- Enter **shutdown /r /t 0** to restart immediately, or **shutdown /s /t 0** to shutdown immediately.
For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options).
## Profile settings
The following profile settings are available:
- **Skip Cortana, OneDrive and OEM registration setup pages**. All devices registered with Autopilot will automatically skip these pages during the out-of-box experience (OOBE) process.
@ -33,3 +55,7 @@ For each device that has been defined to the Windows Autopilot deployment servic
- **Skip End User License Agreement (EULA)**. Starting in Windows 10 version 1709, organizations can decide to skip the EULA page presented during the OOBE process. This means that organizations accept the EULA terms on behalf of their users.
- **Disable Windows consumer features**. Starting in Windows 10 version 1803, organizations can disable Windows consumer features so that the device does not automatically install any additional Microsoft Store apps when the user first signs into the device. See the [MDM documentation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) for more details.
## Related topics
[Configure Autopilot deployment](configure-autopilot.md)

144
windows/deployment/windows-autopilot/windows-10-autopilot.md
View File

@ -1,144 +0,0 @@
---
title: Overview of Windows Autopilot
description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greg-lindsay
ms.date: 10/02/2018
---
# Overview of Windows Autopilot
**Applies to**
- Windows 10
Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows Autopilot to reset, repurpose and recover devices.</br>
This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple.
The following video shows the process of setting up Autopilot:
</br>
<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/KYVptkpsOqs" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>
## Benefits of Windows Autopilot
Traditionally, IT pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows Autopilot introduces a new approach.
From the users' perspective, it only takes a few simple operations to make their device ready to use.
From the IT pros' perspective, the only interaction required from the end user, is to connect to a network and to verify their credentials. Everything past that is automated.
## Windows Autopilot Scenarios
### Cloud-Driven
The Cloud-Driven scenario enables you to pre-register devices through the Windows Autopilot Deployment Program. Your devices will be fully configured with no additional intervention required on the users' side.
#### The Windows Autopilot Deployment Program experience
The Windows Autopilot Deployment Program enables you to:
* Automatically join devices to Azure Active Directory (Azure AD)
* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites))
* Restrict the Administrator account creation
* Create and auto-assign devices to configuration groups based on a device's profile
* Customize OOBE content specific to the organization
##### Prerequisites
>[!NOTE]
>Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options.
* [Devices must be registered to the organization](#device-registration-and-oobe-customization)
* [Company branding needs to be configured](#configure-company-branding-for-oobe)
* [Network connectivity to cloud services used by Windows Autopilot](#network-connectivity-requirements)
* Devices have to be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later
* Devices must have access to the internet
* [Azure AD Premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features)
* [Users must be allowed to join devices into Azure AD](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal)
* Microsoft Intune or other MDM services to manage your devices
The end-user unboxes and turns on a new device. What follows are a few simple configuration steps:
* Select a language and keyboard layout
* Connect to the network
* Provide email address (the email address of the user's Azure AD account) and password
Multiple additional settings are skipped here, since the device automatically recognizes that [it belongs to an organization](#registering-devices-to-your-organization). Following this process the device is joined to Azure AD, enrolled in Microsoft Intune (or any other MDM service).
MDM enrollment ensures policies are applied, apps are installed and setting are configured on the device. Windows Update for Business applies the latest updates to ensure the device is up to date.
</br>
<iframe width="560" height="315" align="center" src="https://www.youtube-nocookie.com/embed/4K4hC5NchbE" frameborder="0" allowfullscreen></iframe>
#### Device registration and OOBE customization
To register devices, you will need to acquire their hardware ID and register it. We are actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf.
If you would like to capture that information by yourself, you can use the [Get-WindowsAutopilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutopilotInfo), which will generate a .csv file with the device's hardware ID.
Once devices are registered, these are the OOBE customization options available for Windows 10, starting with version 1703:
* Skipping Work or Home usage selection (*Automatic*)
* Skipping OEM registration, OneDrive and Cortana (*Automatic*)
* Skipping privacy settings
* Skipping EULA (*starting with Windows 10, version 1709*)
* Preventing the account used to set-up the device from getting local administrator permissions
For guidance on how to register devices, configure and apply deployment profiles, follow one of the available administration options:
* [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
* [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
* [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
##### Configure company branding for OOBE
In order for your company branding to appear during the OOBE, you'll need to configure it in Azure Active Directory first.
See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory), to configure these settings.
##### Configure MDM auto-enrollment in Microsoft Intune
In order for your devices to be auto-enrolled into MDM management, MDM auto-enrollment needs to be configured in Azure AD. To do that with Microsoft Intune, please see [Enroll Windows devices for Microsoft Intune](https://docs.microsoft.com/intune/windows-enroll). For other MDM vendors, please consult your vendor for further details.
>[!NOTE]
>MDM auto-enrollment requires an Azure AD Premium P1 or P2 subscription.
#### Network connectivity requirements
The Windows Autopilot Deployment Program uses a number of cloud services to get your devices to a productive state. This means those services need to be accessible from devices registered as Windows Autopilot devices.
To manage devices behind firewalls and proxy servers, the following URLs need to be accessible:
* https://go.microsoft.com
* https://login.microsoftonline.com
* https://login.live.com
* https://account.live.com
* https://signup.live.com
* https://licensing.mp.microsoft.com
* https://licensing.md.mp.microsoft.com
* ctldl.windowsupdate.com
* download.windowsupdate.com
>[!NOTE]
>Where not explicitly specified, both HTTPS (443) and HTTP (80) need to be accessible.
>[!TIP]
>If you're auto-enrolling your devices into Microsoft Intune, or deploying Microsoft Office, make sure you follow the networking guidelines for [Microsoft Intune](https://docs.microsoft.com/intune/network-bandwidth-use#network-communication-requirements) and [Office 365](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2).
### IT-Driven
If you are planning to configure devices with traditional on-premises or cloud-based solutions, the [Windows Configuration Designer](https://www.microsoft.com/store/p/windows-configuration-designer/9nblggh4tx22) can be used to help automate the process. This is more suited to scenarios in which you require a higher level of control over the provisioning process. For more information on creating provisioning packages with Windows Configuration Designer, see [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package).
### Self-Deploying
Windows Autopilot self-deploying mode offers truly zero touch provisioning. With this mode, all you need to do is power on a device, plug it into Ethernet, and watch Windows Autopilot fully configure the device. No additional user interaction is required. see [Windows Autopilot Self-Deploying mode (Preview)] (/windows/deployment/windows-autopilot/self-deploying).
### Teacher-Driven
If you're an IT pro or a technical staff member at a school, your scenario might be simpler. The [Set Up School PCs](https://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) app can be used to quickly set up PCs for students and will get you to a productive state faster and simpler. Please see [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for all the details.

16
windows/deployment/windows-autopilot/windows-autopilot-requirements.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greg-lindsay
ms.date: 10/02/2018
ms.date: 12/13/2018
---
# Windows Autopilot requirements
@ -18,6 +18,14 @@ ms.date: 10/02/2018
Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. In order to use Windows Autopilot and leverage these capabilities, some requirements must be met:
- [Licensing requirements](windows-autopilot-requirements-licensing.md) must be met.
- [Networking requirements](windows-autopilot-requirements-network.md) need to be met.
- [Configuration requirements](windows-autopilot-requirements-configuration.md) need to be completed.
See the following topics for details on licensing, network, and configuration requirements:
- [Licensing requirements](windows-autopilot-requirements-licensing.md)
- [Networking requirements](windows-autopilot-requirements-network.md)
- [Configuration requirements](windows-autopilot-requirements-configuration.md)
- For details about specific configuration requirements to enable user-driven Hybrid Azure Active Directory join for Windows Autopilot, see [Intune Connector (preview) language requirements](intune-connector.md). This requirement is a temporary workaround, and will be removed in the next release of Intune Connector.
There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications).
## Related topics
[Configure Autopilot deployment](configure-autopilot.md)

12
windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greg-lindsay
ms.date: 10/02/2018
ms.date: 12/13/2018
---
# Windows Autopilot scenarios
@ -20,7 +20,11 @@ Windows Autopilot includes support for a growing list of scenarios, designed to
For details about these scenarios, see these additional topics:
- [Windows Autopilot user-driven mode](user-driven.md), for devices that will be set up by a member of the organization and configured for that person.
- [Windows Autopilot self-deploying mode](self-deploying.md), for devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device.
- [Windows Autopilot Reset](windows-autopilot-reset.md),
- [Windows Autopilot for existing devices](existing-devices.md), to deploy Windows 10 on an existing Windows 7 or 8.1 device.
- [Windows Autopilot user-driven mode](user-driven.md), for devices that will be set up by a member of the organization and configured for that person.
- [Windows Autopilot self-deploying mode](self-deploying.md), for devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device.
- [Windows Autopilot Reset](windows-autopilot-reset.md), to re-deploy a device in a business-ready state.
## Related topics
[Windows Autopilot Enrollment Status page](enrollment-status.md)

134
windows/deployment/windows-autopilot/windows-autopilot.md
View File

@ -1,10 +1,10 @@
---
title: Overview of Windows Autopilot
description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
@ -14,7 +14,12 @@ ms.date: 10/02/2018
# Overview of Windows Autopilot
**Applies to: Windows 10**
**Applies to**
- Windows 10
Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows Autopilot to reset, repurpose and recover devices.</br>
This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple.
Windows Autopilot is designed to simplify all parts of the lifecycle of Windows devices, for both IT and end users, from initial deployment through the eventual end of life. Leveraging cloud-based services, it can reduce the overall costs for deploying, managing, and retiring devices by reducing the amount of time that IT needs to spend on these processes and the amount of infrastructure that they need to maintain, while ensuring ease of use for all types of end users.
@ -24,3 +29,126 @@ When initially deploying new Windows devices, Windows Autopilot leverages the OE
Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intune, Windows Update for Business, System Center Configuration Manager, and other similar tools. Windows Autopilot can help with device re-purposing scenarios, leveraging Windows Autopilot Reset to quickly prepare a device for a new user, as well as in break/fix scenarios to enable a device to quickly be brought back to a business-ready state.
## Windows Autopilot walkthrough
The following video shows the process of setting up Windows Autopilot:
</br>
<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/KYVptkpsOqs" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>
## Benefits of Windows Autopilot
Traditionally, IT pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows Autopilot introduces a new approach.
From the users' perspective, it only takes a few simple operations to make their device ready to use.
From the IT pros' perspective, the only interaction required from the end user, is to connect to a network and to verify their credentials. Everything past that is automated.
## Windows Autopilot Scenarios
### Cloud-Driven
The Cloud-Driven scenario enables you to pre-register devices through the Windows Autopilot Deployment Program. Your devices will be fully configured with no additional intervention required on the users' side.
#### The Windows Autopilot Deployment Program experience
The Windows Autopilot Deployment Program enables you to:
* Automatically join devices to Azure Active Directory (Azure AD)
* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites))
* Restrict the Administrator account creation
* Create and auto-assign devices to configuration groups based on a device's profile
* Customize OOBE content specific to the organization
##### Prerequisites
>[!NOTE]
>Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options.
* [Devices must be registered to the organization](#device-registration-and-oobe-customization)
* [Company branding needs to be configured](#configure-company-branding-for-oobe)
* [Network connectivity to cloud services used by Windows Autopilot](#network-connectivity-requirements)
* Devices have to be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later
* Devices must have access to the internet
* [Azure AD Premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features)
* [Users must be allowed to join devices into Azure AD](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal)
* Microsoft Intune or other MDM services to manage your devices
The end-user unboxes and turns on a new device. What follows are a few simple configuration steps:
* Select a language and keyboard layout
* Connect to the network
* Provide email address (the email address of the user's Azure AD account) and password
Multiple additional settings are skipped here, since the device automatically recognizes that [it belongs to an organization](#registering-devices-to-your-organization). Following this process the device is joined to Azure AD, enrolled in Microsoft Intune (or any other MDM service).
MDM enrollment ensures policies are applied, apps are installed and setting are configured on the device. Windows Update for Business applies the latest updates to ensure the device is up to date.
</br>
<iframe width="560" height="315" align="center" src="https://www.youtube-nocookie.com/embed/4K4hC5NchbE" frameborder="0" allowfullscreen></iframe>
#### Device registration and OOBE customization
To register devices, you will need to acquire their hardware ID and register it. We are actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf.
If you would like to capture that information by yourself, you can use the [Get-WindowsAutopilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutopilotInfo), which will generate a .csv file with the device's hardware ID.
Once devices are registered, these are the OOBE customization options available for Windows 10, starting with version 1703:
* Skipping Work or Home usage selection (*Automatic*)
* Skipping OEM registration, OneDrive and Cortana (*Automatic*)
* Skipping privacy settings
* Skipping EULA (*starting with Windows 10, version 1709*)
* Preventing the account used to set-up the device from getting local administrator permissions
For guidance on how to register devices, configure and apply deployment profiles, follow one of the available administration options:
* [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
* [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
* [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
##### Configure company branding for OOBE
In order for your company branding to appear during the OOBE, you'll need to configure it in Azure Active Directory first.
See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory), to configure these settings.
##### Configure MDM auto-enrollment in Microsoft Intune
In order for your devices to be auto-enrolled into MDM management, MDM auto-enrollment needs to be configured in Azure AD. To do that with Microsoft Intune, please see [Enroll Windows devices for Microsoft Intune](https://docs.microsoft.com/intune/windows-enroll). For other MDM vendors, please consult your vendor for further details.
>[!NOTE]
>MDM auto-enrollment requires an Azure AD Premium P1 or P2 subscription.
#### Network connectivity requirements
The Windows Autopilot Deployment Program uses a number of cloud services to get your devices to a productive state. This means those services need to be accessible from devices registered as Windows Autopilot devices.
To manage devices behind firewalls and proxy servers, the following URLs need to be accessible:
* https://go.microsoft.com
* https://login.microsoftonline.com
* https://login.live.com
* https://account.live.com
* https://signup.live.com
* https://licensing.mp.microsoft.com
* https://licensing.md.mp.microsoft.com
* ctldl.windowsupdate.com
* download.windowsupdate.com
>[!NOTE]
>Where not explicitly specified, both HTTPS (443) and HTTP (80) need to be accessible.
>[!TIP]
>If you're auto-enrolling your devices into Microsoft Intune, or deploying Microsoft Office, make sure you follow the networking guidelines for [Microsoft Intune](https://docs.microsoft.com/intune/network-bandwidth-use#network-communication-requirements) and [Office 365](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2).
### IT-Driven
If you are planning to configure devices with traditional on-premises or cloud-based solutions, the [Windows Configuration Designer](https://www.microsoft.com/store/p/windows-configuration-designer/9nblggh4tx22) can be used to help automate the process. This is more suited to scenarios in which you require a higher level of control over the provisioning process. For more information on creating provisioning packages with Windows Configuration Designer, see [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package).
### Self-Deploying
Windows Autopilot self-deploying mode offers truly zero touch provisioning. With this mode, all you need to do is power on a device, plug it into Ethernet, and watch Windows Autopilot fully configure the device. No additional user interaction is required. see [Windows Autopilot Self-Deploying mode (Preview)] (/windows/deployment/windows-autopilot/self-deploying).
### Teacher-Driven
If you're an IT pro or a technical staff member at a school, your scenario might be simpler. The [Set Up School PCs](https://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) app can be used to quickly set up PCs for students and will get you to a productive state faster and simpler. Please see [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for all the details.

1
windows/hub/TOC.md
View File

@ -1,5 +1,6 @@
# [Windows 10 and Windows 10 Mobile](index.md)
## [What's new](/windows/whats-new)
## [Release information](release-information.md)
## [Deployment](/windows/deployment)
## [Configuration](/windows/configuration)
## [Client management](/windows/client-management)

1
windows/hub/docfx.json
View File

@ -38,7 +38,6 @@
"ms.technology": "windows",
"ms.topic": "article",
"ms.author": "brianlic",
"ms.date": "04/05/2017",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",

37
windows/hub/release-information.md Normal file
View File

@ -0,0 +1,37 @@
---
title: Windows 10 - release information
description: Learn release information for Windows 10 releases
keywords: ["Windows 10", "Windows 10 October 2018 Update"]
ms.prod: w10
layout: LandingPage
ms.topic: landing-page
ms.mktglfcycl: deploy
ms.sitesec: library
author: lizap
ms.author: elizapo
ms.localizationpriority: high
---
# Windows 10 - Release information
>[!IMPORTANT]
> The URL for the release information page has changed - update your bookmark!
Microsoft has updated its servicing model. The Semi-Annual Channel (SAC) offers twice-per-year feature updates that release around March and September, with an 18-month servicing period for each release. Starting with Windows 10, version 1809, feature updates for Windows 10 Enterprise and Education editions with a targeted release month of September will be serviced for 30 months from their release date (more information can be found [here](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop/)).
If you are not using Windows Update for Business today, “Semi-Annual Channel (Targeted)” (SAC-T) has no impact on your devices (more information can be found [here](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747)), and we recommend you begin deployment of each Semi-Annual Channel release right away to devices selected for early adoption and ramp up to full deployment at your discretion. This will enable you to gain access to new features, experiences, and integrated security as soon as possible.
If you are using Windows Update for Business today, refer to the table below to understand when your device will be updated, based on which deferral period you have configured, SAC -T or SAC.
**Notice: November 13, 2018:** All editions of Windows 10 October 2018 Update, version 1809, for Windows client and server have resumed. Customers currently running Windows 10, version 1809, will receive build 17763.134 as part of our regularly scheduled Update Tuesday servicing in November. If you update to the Window 10, version 1809, feature update you will receive build 17763.107. On the next automatic scan for updates, youll be taken to the latest cumulative update (build 17763.134 or higher).
November 13 marks the revised start of the servicing timeline for the Semi-Annual Channel ("Targeted") and Long-Term Servicing Channel (LTSC) release for Windows 10, version 1809, Windows Server 2019, and Windows Server, version 1809.
For information about the re-release and updates to the support lifecycle, refer to [John Cable's blog](https://blogs.windows.com/windowsexperience/2018/10/09/updated-version-of-windows-10-october-2018-update-released-to-windows-insiders/), [Windows 10 Update History](https://support.microsoft.com/help/4464619), and the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853).
<div class="m-rich-content-block" data-grid="col-12">
<div id="winrelinfo" xmlns="http://www.w3.org/1999/xhtml"><iframe width="100%" height="866px" id="winrelinfo_iframe" src="https://winreleaseinfoprod.blob.core.windows.net/winreleaseinfoprod/en-US.html" frameborder="0" marginwidth="0" marginheight="0" scrolling="auto"></iframe></div>
<script src="https://winreleaseinfoprod.blob.core.windows.net/winreleaseinfoprod/iframe.js" xmlns="http://www.w3.org/1999/xhtml"></script>
<script xmlns="http://www.w3.org/1999/xhtml">/*<![CDATA[*/winrelinfo_setup("https://winreleaseinfoprod.blob.core.windows.net/winreleaseinfoprod/en-US.html")/*]]>*/</script>
</div>

197
windows/privacy/Microsoft-DiagnosticDataViewer.md Normal file
View File

@ -0,0 +1,197 @@
---
title: Diagnostic Data Viewer for PowerShell Overview (Windows 10)
description: Use this article to use the Diagnostic Data Viewer for PowerShell to review the diagnostic data sent to Microsoft by your device.
keywords: privacy
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: brianlic-msft
ms.author: brianlic
ms.date: 01/17/2018
---
# Diagnostic Data Viewer for PowerShell Overview
**Applies to**
- Windows 10, version 1809
- Windows 10, version 1803
- Windows Server, version 1803
- Windows Server 2019
## Introduction
The Diagnostic Data Viewer for PowerShell is a PowerShell module that lets you review the diagnostic data your device is sending to Microsoft, grouping the info into simple categories based on how it's used by Microsoft.
## Requirements
You must have administrative privilege on the device in order to use this PowerShell module. This module requires OS version 1803 and higher.
## Install and Use the Diagnostic Data Viewer for PowerShell
You must install the module before you can use the Diagnostic Data Viewer for PowerShell.
### Install the Diagnostic Data Viewer for PowerShell
>[!IMPORTANT]
>It is recommended to visit the documentation on [Getting Started](https://docs.microsoft.com/en-us/powershell/gallery/getting-started) with PowerShell Gallery. This page provides more specific details on installing a PowerShell module.
To install the newest version of the Diagnostic Data Viewer PowerShell module:
1. From an elevated Command Prompt, start a PowerShell session by running `C:\> powershell.exe`.
2. Install the module by name
```powershell
PS C:\> Install-Module -Name Microsoft.DiagnosticDataViewer
```
To see more information about the module, visit [PowerShell Gallery](https://www.powershellgallery.com/packages/Microsoft.DiagnosticDataViewer).
### Turn on data viewing
Before you can use this tool, you must turn on data viewing. Turning on data viewing enables Windows to store a local history of your device's diagnostic data for you to view until you turn it off.
Note that this setting does not control whether your device sends diagnostic data. Instead, it controls whether your Windows device saves a local copy of the diagnostic data sent for your viewing.
**To turn on data viewing through the Settings page**
1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option.
![Location to turn on data viewing](images/ddv-data-viewing.png)
**To turn on data viewing through PowerShell**
1. Install the Diagnostic Data Viewer for PowerShell module.
2. Run the Command prompt **as administrator**.
3. Start a PowerShell session by running `C:\> powershell.exe`.
4. Run the following commands in the PowerShell session:
```powershell
PS C:\> Enable-DiagnosticDataViewing
```
Once data viewing is enabled, your Windows machine will begin saving a history of diagnostic data that is sent to Microsoft from this point on.
>[!IMPORTANT]
>Turning on data viewing can use up to 1GB (default setting) of disk space on your system drive. We recommend that you turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the [Turn off data viewing](#turn-off-data-viewing) section in this article.
### Start the Diagnostic Data Viewer
You must start this app from the **Settings** panel.
**To start the Diagnostic Data Viewer**
1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button.
![Location to turn on the Diagnostic Data Viewer](images/ddv-settings-launch.png)<br><br>-OR-<br><br>
Go to **Start** and search for _Diagnostic Data Viewer_.
3. Close the Diagnostic Data Viewer app, use your device as you normally would for a few days, and then open Diagnostic Data Viewer again to review the updated list of diagnostic data.
>[!IMPORTANT]
>Turning on data viewing can use up to 1GB of disk space on your system drive. We strongly recommend that your turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the [Turn off data viewing](#turn-off-data-viewing) section in this article.
### Getting Started with Diagnostic Data Viewer for PowerShell
To see how to use the cmdlet, the parameters it accepts, and examples, run the following command from an elevated PowerShell session:
```powershell
PS C:\> Get-Help Get-DiagnosticData
```
**To Start Viewing Diagnostic Data**
From an elevated PowerShell session, run the following command:
```powershell
PS C:\> Get-DiagnosticData
```
If the number of events is large, and you'd like to stop the command, enter `Ctrl+C`.
>[!IMPORTANT]
>The above command may produce little to no results if you enabled data viewing recently. It can take several minutes before your Windows device can show diagnostic data it has sent. Use your device as you normally would in the mean time and try again.
### Doing more with the Diagnostic Data Viewer for PowerShell
The Diagnostic Data Viewer for PowerShell provides you with the following features to view and filter your device's diagnostic data. You can also use the extensive suite of other PowerShell tools with this module.
- **View your diagnostic events.** Running `PS C:\> Get-DiagnosticData`, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft.
Each event is displayed as a PowerShell Object. By default each event shows the event name, the time when it was seen by your Windows device, whether the event is [Basic](https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization), its [diagnostic event category](#view-diagnostic-event-categories), and a detailed JSON view of the information it contains, which shows the event exactly as it was when sent to Microsoft. Microsoft uses this info to continually improve the Windows operating system.
- **View Diagnostic event categories.** Each event shows the diagnostic event categories that it belongs to. These categories define how events are used by Microsoft. The categories are shown as numeric identifiers. For more information about these categories, see [Windows Diagnostic Data](https://docs.microsoft.com/en-us/windows/privacy/windows-diagnostic-data).
To view the diagnostic category represented by each numeric identifier and what the category means, you can run the command:
```powershell
PS C:\> Get-DiagnosticDataTypes
```
- **Filter events by when they were sent.** You can view events within specified time ranges by specifying a start time and end time of each command. For example, to see all diagnostic data sent between 12 and 6 hours ago, run the following command. Note that data is shown in order of oldest first.
```powershell
PS C:\> Get-DiagnosticData -StartTime (Get-Date).AddHours(-12) -EndTime (Get-Date).AddHours(-6)
```
- **Export the results of each command.** You can export the results of each command to a separate file such as a csv by using pipe `|`. For example,
```powershell
PS C:\> Get-DiagnosticData | Export-Csv 'mydata.csv'
```
## Turn off data viewing
When you're done reviewing your diagnostic data, we recommend turning off data viewing to prevent using up more memory. Turning off data viewing stops Windows from saving a history of your diagnostic data and clears the existing history of diagnostic data from your device.
**To turn off data viewing through the Settings page**
1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option.
![Location to turn off data viewing](images/ddv-settings-off.png)
**To turn off data viewing through PowerShell**
1. Run the Command prompt **as administrator**.
2. Start a PowerShell session by running `C:\> powershell.exe`.
3. Run the following commands in the PowerShell session:
```powershell
PS C:\> Disable-DiagnosticDataViewing
```
## Modifying the size of your data history
By default, the tool will show you up to 1GB or 30 days of data (whichever comes first). Once either the time or space limit is reached, the data is incrementally dropped with the oldest data points dropped first.
**Modify the size of your data history**
>[!IMPORTANT]
>Modifying the maximum amount of diagnostic data viewable by the tool may come with performance impacts to your machine.
You can change the maximum data history size (in megabytes) that you can view. For example, to set the maximum data history size to 2048MB (2GB), you can run the following command.
```powershell
PS C:\> Set-DiagnosticStoreCapacity -Size 2048
```
You can change the maximum data history time (in hours) that you can view. For example, to set the maximum data history time to 24 hours, you can run the following command.
```powershell
PS C:\> Set-DiagnosticStoreCapacity -Time 24
```
>[!IMPORTANT]
>You may need to restart your machine for the new settings to take effect.
>[!IMPORTANT]
>If you have the [Diagnostic Data Viewer](diagnostic-data-viewer-overview.md) store app installed on the same device, modifications to the size of your data history through the PowerShell module will also be reflected in the app.
**Reset the size of your data history**
To reset the maximum data history size back to its original 1GB default value, run the following command in an elevated PowerShell session:
```powershell
PS C:\> Set-DiagnosticStoreCapacity -Size 1024 -Time 720
```
## Related Links
- [Module in PowerShell Gallery](https://www.powershellgallery.com/packages/Microsoft.DiagnosticDataViewer)
- [Documentation for Diagnostic Data Viewer for PowerShell](https://docs.microsoft.com/en-us/powershell/module/microsoft.diagnosticdataviewer/?view=win10-ps)

4
windows/privacy/TOC.md
View File

@ -3,7 +3,9 @@
## [Windows and the GDPR: Information for IT Administrators and Decision Makers](gdpr-it-guidance.md)
## [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md)
## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)
## Diagnostic Data Viewer
### [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)
### [Diagnostic Data Viewer for PowerShell Overview](Microsoft-DiagnosticDataViewer.md)
## Basic level Windows diagnostic data events and fields
### [Windows 10, version 1809 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)

661
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
View File

@ -9,7 +9,7 @@ ms.pagetype: security
localizationpriority: high
author: brianlic-msft
ms.author: brianlic
ms.date: 11/07/2018
ms.date: 12/13/2018
---
@ -61,15 +61,15 @@ The following fields are available:
- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting the next release of Windows on this device.
- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting the next release of Windows on this device.
- **InventoryLanguagePack** The total InventoryLanguagePack objects that are present on this device.
- **InventorySystemBios** The total InventorySystemBios objects that are present on this device.
- **PCFP** An ID for the system that is calculated by hashing hardware identifiers.
- **SystemProcessorCompareExchange** The total SystemProcessorCompareExchange objects that are present on this device.
- **SystemProcessorNx** The total SystemProcessorNx objects that are present on this device.
- **SystemProcessorSse2** The total SystemProcessorSse2 objects that are present on this device.
- **SystemWim** The total SystemWim objects that are present on this device
- **SystemWindowsActivationStatus** The total SystemWindowsActivationStatus objects that are present on this device.
- **SystemWlan** The total SystemWlan objects that are present on this device.
- **InventoryLanguagePack** The count of DecisionApplicationFile objects present on this machine targeting the next release of Windows
- **InventorySystemBios** The count of DecisionDevicePnp objects present on this machine targeting the next release of Windows
- **PCFP** The count of DecisionDriverPackage objects present on this machine targeting the next release of Windows
- **SystemProcessorCompareExchange** The count of DecisionMatchingInfoBlock objects present on this machine targeting the next release of Windows
- **SystemProcessorNx** The count of DataSourceMatchingInfoPostUpgrade objects present on this machine targeting the next release of Windows
- **SystemProcessorSse2** The count of DecisionMatchingInfoPostUpgrade objects present on this machine targeting the next release of Windows
- **SystemWim** The count of DecisionMediaCenter objects present on this machine targeting the next release of Windows
- **SystemWindowsActivationStatus** The count of DecisionSystemBios objects present on this machine targeting the next release of Windows
- **SystemWlan** The count of InventoryApplicationFile objects present on this machine.
- **Wmdrm_RS3** The total Wmdrm objects targeting the next release of Windows on this device.
@ -335,7 +335,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
This event indicates that the DecisionApplicationFile object is no longer present.
This event indicates Indicates that the DecisionApplicationFile object is no longer present.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@ -671,7 +671,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
This event indicates that a new set of InventoryApplicationFileAdd events will be sent.
This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@ -1757,8 +1757,107 @@ The following fields are available:
- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
## Content Delivery Manager events
### Microsoft.Windows.ContentDeliveryManager.ProcessCreativeEvent
This event sends tracking data about the reliability of interactions with Windows spotlight content, to help keep Windows up to date.
The following fields are available:
- **creativeId** A serialized string containing the ID of the offer being rendered, the ID of the current rotation period, the ID of the surface/ring/market combination, the offer index in the current branch, the ID of the batch, the rotation period length, and the expiration timestamp.
- **eventToken** In there are multiple item offers, such as Start tiles, this indicates which tile the event corresponds to.
- **eventType** A code that indicates the type of creative event, such a impression, click, positive feedback, negative feedback, etc..
- **placementId** Name of surface, such as LockScreen or Start.
### Microsoft.Windows.ContentDeliveryManager.ReportPlacementHealth
This event sends aggregated client health data, summarizing information about the state of offers on a device, to help keep Windows up to date.
The following fields are available:
- **dataVersion** Schema version of the event that is used to determine what serialized content is available for placementReportedInfo and trackingInfo fields.
- **healthResult** A code that identifies user account health status as Unknown, Healthy, Unhealthy.
- **healthStateFlags** A code that represents a set of flags used to group devices in a health/unhealthy way. For example, Unhealthy, Healthy, RefreshNotScheduled, EmptyResponse, RenderedDefault, RenderFailure, RenderDelayed, and CacheEmpty.
- **placementHealthId** A code that represents which surface's health is being reported. For example, Default, LockScreen, LockScreenOverlay, StartMenu, SoftLanding, DefaultStartLayout1, DefaultStartLayout2, OemPreInstalledApps, FeatureManagement, SilentInstalledApps, NotificationChannel, SuggestedPenAppsSubscribedContent, TestAppSubscribedContent, OneDriveSyncNamespaceSubscribedContent, OneDriveLocalNamespaceSubscribedContent, OneDriveSyncNamespaceInternalSubscribedContent, and OneDriveLocalNamespaceInternalSubscribedContent.
- **placementReportedInfo** Serialized information that contains domain-specific health information written by each surface, such as lastUpportunityTime, lastOpportunityReportedTime, expectedExpirationTime, and rotationPeriod.
- **trackingInfo** Serialized information that contains domain-specific health information written by the content delivery manager, such as lastRefreshTime, nextRefreshTime, nextUpdateTime,renderPriorToLastOpportunityTime, lastRenderTime, lastImpressionTime, lastRulesRegistrationTime, registrationTime, lastRefreshBatchCount, lastEligibleCreativeCount, availableAppSlotCount, placeholderAppSlotCount, lastRenderSuccess, lastRenderDefault, isEnabled.
### Microsoft.Windows.ContentDeliveryManager.ReportPlacementState
This event sends data about the opt-out state of a device or user that uses Windows spotlight, to help keep Windows up to date.
The following fields are available:
- **isEnabled** Indicates if the surface is enable to receive offers.
- **lastImpressionTime** The time when the last offer was seen.
- **lastRenderedCreativeId** ID of the last offer rendered by the surface.
- **lastRenderedTime** The time that the last offer was rendered.
- **nextRotationTime** The time in which the next offer will be rendered.
- **placementName** Name of surface, such as LockScreen or Start.
- **placementStateReportFlags** Flags that represent if the surface is capable of receiving offers, such as off by edition, off by Group Policy, off by user choice.
- **selectedPlacementId** ID of the surface/ring/markey combination, such as Lock-Internal-en-US.
## Diagnostic data events
### TelClientSynthetic.AbnormalShutdown_0
This event sends data about boot IDs for which a normal clean shutdown was not observed, to help keep Windows up to date.
The following fields are available:
- **AbnormalShutdownBootId** Retrieves the Boot ID for which the abnormal shutdown was observed.
- **CrashDumpEnabled** OS configuration of the type of crash dump enabled; 0 = not enabled
- **CumulativeCrashCount** Cumulative count of OS crashes since the BootId reset
- **CurrentBootId** Retrieves the current boot ID.
- **FirmwareResetReasonEmbeddedController** Firmware-supplied reason for the reset.
- **FirmwareResetReasonEmbeddedControllerAdditional** Additional data related to the reset reason provided by the firmware.
- **FirmwareResetReasonPch** Hardware-supplied reason for the reset.
- **FirmwareResetReasonPchAdditional** Additional data related to the reset reason provided by the hardware.
- **FirmwareResetReasonSupplied** Indicates whether the firmware supplied any reset reason.
- **FirmwareType** ID of the FirmwareType as enumerated in DimFirmwareType
- **HardwareWatchdogTimerGeneratedLastReset** Indicates whether the hardware watchdog timer caused the last reset.
- **HardwareWatchdogTimerPresent** Indicates whether hardware watchdog timer was present or not.
- **LastBugCheckBootId** "bootId of the captured Last Bug Check""; important to match AbnormalShutdownBootId for analysis or the Last Bug Check info in the event does not correlate with the rest of the information""""ootId of the captured ""Last Bug Check""; important to match AbnormalShutdownBootId for analysis or the Last Bug Check info in the event does not correlate with the """"otId of the captured ""Last Bug Check""; important to match AbnormalShutdownBootId for analysis or the Last Bug Check info in the event does n""""tId of the captured ""Last Bug Check""; important to match AbnormalShutdownBootId for analysis or the Last Bug Check inf""""Id of the captured ""Last Bug Check""; important to match AbnormalShutdownBootId for analysis or th""""d of the captured ""Last Bug Check""; important to match AbnormalShutdownBootId"""" of the captured ""Last Bug Check""; important to match Abno""""of the captured ""Last Bug Check""; import""""f the captured ""Last Bu"""" the ca"""
- **LastBugCheckCode** Bug Check code indicating the type of error; LastBugCheck data is only available on UEFI-enabled systems (as indicated by FirmwareTypeId == 2) because it is saved in an EFI variable; LastBugCheck data is only available if crashdumping is enabled (as indicated by CrashDumpEnabled > 0)
- **LastBugCheckContextFlags** Additional crashdump settings; LastBugCheck data is only available on UEFI-enabled systems (as indicated by FirmwareTypeId == 2) because it is saved in an EFI variable; LastBugCheck data is only available if crashdumping is enabled (as indicated by CrashDumpEnabled > 0)
- **LastBugCheckOriginalDumpType** Type of crashdump the system intended to save; LastBugCheck data is only available on UEFI-enabled systems (as indicated by FirmwareTypeId == 2) because it is saved in an EFI variable; LastBugCheck data is only available if crashdumping is enabled (as indicated by CrashDumpEnabled > 0)
- **LastBugCheckOtherSettings** Other crashdump settings; LastBugCheck data is only available on UEFI-enabled systems (as indicated by FirmwareTypeId == 2) because it is saved in an EFI variable; LastBugCheck data is only available if crashdumping is enabled (as indicated by CrashDumpEnabled > 0)
- **LastBugCheckParameter1** First Bug Check parameter with additional info on the type of the error; LastBugCheck data is only available on UEFI-enabled systems (as indicated by FirmwareTypeId == 2) because it is saved in an EFI variable; LastBugCheck data is only available if crashdumping is enabled (as indicated by CrashDumpEnabled > 0)
- **LastBugCheckProgress** Progress towards writing out the last crashdump; non-zero value indicates an attempt; LastBugCheck data is only available on UEFI-enabled systems (as indicated by FirmwareTypeId == 2) because it is saved in an EFI variable; LastBugCheck data is only available if crashdumping is enabled (as indicated by CrashDumpEnabled .> 0)
- **LastSuccessfullyShutdownBootId** Retrieves the last successfully/cleanly shutdown boot ID.
- **PowerButtonCumulativePressCount** "Number of times the Power Button was detected to have been pressed (pressed" not to be confused with "released") for the BootId specified in PowerButtonLastPressBootId""umber of times the Power Button was detected to have been pressed ("pressed" not to be confused wit""mber of times the Power Button """umber of times the Power Button was detected to have been pressed (pressed" not to be confused with "released") for the BootId specified in PowerButtonLastPressBootId""umber of times the Power Button was detected to have been ""mber of times the Power Button was detected to have been pressed (pressed" not to be confused with "released") for the BootId specified in PowerButtonL""ber of times the Power Button was detected to have been pressed (pressed" not""er o"
- **PowerButtonCumulativeReleaseCount** "Number of times the Power Button was detected to have been released (released" not to be confused with "pressed") for the BootId specified in PowerButtonLastReleaseBootId""umber of times the Power Button was detected to have been released ("released" not to be confused wit""mber of times the Power Button w"""umber of times the Power Button was detected to have been released (released" not to be confused with "pressed") for the BootId specified in PowerButtonLastReleaseBootId""umber of times the Power Button was detected to have been r""mber of times the Power Button was detected to have been released (released" not to be confused with "pressed") for the BootId specified in PowerButtonLa""ber of times the Power Button was detected to have been released (released" n""er"
- **PowerButtonErrorCount** Indicates the number of times there was an error attempting to record Power Button metrics (e.g. due to a failure to lock/update the bootstat file)
- **PowerButtonLastPressBootId** "BootId of the last time the Power Button was detected to have been pressed (pressed" not to be confused with "released")""ootId of the last time the Power Button was """ootId of the last time the Power Button was detected to have been pressed (pressed""""
- **PowerButtonLastPressTime** "Date/time of the last time the Power Button was detected to have been pressed (pressed" not to be confused with "released")""ate/time of the last time the Power Button w"""ate/time of the last time the Power Button was detected to have been pressed (press"
- **PowerButtonLastReleaseBootId** "BootId of the last time the Power Button was detected to have been released (released" not to be confused with "pressed")""ootId of the last time the Power Button was """ootId of the last time the Power Button was detected to have been released (releas"
- **PowerButtonLastReleaseTime** "Date/time of the last time the Power Button was detected to have been released (released" not to be confused with "pressed")""ate/time of the last time the Power Button w"""ate/time of the last time the Power Button was detected to have been released (rel"
- **PowerButtonPressCurrentCsPhase** Represents the phase of Connected Standby exit when the power button was pressed.
- **PowerButtonPressIsShutdownInProgress** Indicates whether a system shutdown was in progress at the last time the Power Button was pressed
- **PowerButtonPressLastPowerWatchdogStage** Progress while monitor/display is being turned on; ranges from 0 (no progress) to 0x50 (completion); if PowerButtonPressPowerWatchdogArmed == TRUE (armed), the value represents the current stage whereas if PowerButtonPressPowerWatchdogArmed == FALSE (not armed),the value represents the last completed stage at the time of the last Power Button press,
- **PowerButtonPressPowerWatchdogArmed** Inidicates whether or not the watchdog for the monitor/display was active at the time of the last Power Button press
- **TransitionInfoBootId** "BootId of the captured Transition Info""; important to match AbnormalShutdownBootId for analysis or the Transition Info in the event does not correlate with the rest of the information""""ootId of the captured ""Transition Info""; important to match AbnormalShutdownBootId for analysis or the Transition Info in the event does not correlate with the """"otId of the captured ""Transition Info""; important to match AbnormalShutdownBootId for analysis or the Transition Info in the event does n""""tId of the captured ""Transition Info""; important to match AbnormalShutdownBootId for analysis or the Transition Inf""""Id of the captured ""Transition Info""; important to match AbnormalShutdownBootId for analysis o""""d of the captured ""Transition Info""; important to match AbnormalShutdownBo"""" of the captured ""Transition Info""; important to match """"of the captured ""Transition Info""; im""""f the captured ""Tran"""" the"""
- **TransitionInfoCSCount** "Total number of times the system transitioned from Connected Standby mode to on" at the time the last marker was saved""otal number of times the system transitio"""otal number of times the system transitioned from Connected Standby mode to on" at""tal"
- **TransitionInfoCSEntryReason** Indicates the reason the device last entered Connected Standby mode
- **TransitionInfoCSExitReason** Indicates the reason the device last exited Connected Standby mode
- **TransitionInfoCSInProgress** At the time the last marker was saved,the system was in or entering Connected Standby mode
- **TransitionInfoLastReferenceTimeChecksum** Checksum of TransitionInfoLastReferenceTimestamp
- **TransitionInfoLastReferenceTimestamp** Date/time the marker was last saved
- **TransitionInfoPowerButtonTimestamp** Date/time of the last time the Power Button was detected to have been pressed (collected via a different mechanism than PowerButtonLastPressTime)
- **TransitionInfoSleepInProgress** At the time the last marker was saved,the system was in or entering Sleep mode
- **TransitionInfoSleepTranstionsToOn** "Total number of times the system transitioned from Sleep mode to on" at the time the last marker was saved""otal number of times the system transitio"""otal number of times the system transitioned from Sleep mode to on" at the time th""tal number of t"
- **TransitionInfoSystemRunning** At the time the last marker was saved,the system was running
- **TransitionInfoSystemShutdownInProgress** Indicates whether a device shutdown was in progress when the power button was pressed.
- **TransitionInfoUserShutdownInProgress** Indicates whether a user shutdown was in progress when the power button was pressed.
- **TransitionLatestCheckpointId** Represents a unique identifier for a checkpoint during the device state transition.
- **TransitionLatestCheckpointSeqNumber** Represents the chronological sequence number of the checkpoint.
- **TransitionLatestCheckpointType** Represents the type of the checkpoint, which can be the start of a phase, end of a phase, or just informational.
### TelClientSynthetic.AuthorizationInfo_RuntimeTransition
This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect.
@ -1856,6 +1955,24 @@ The following fields are available:
- **VortexHttpFailures5xx** The number of 500-599 error codes received from Vortex.
### TelClientSynthetic.HeartBeat_Aria_5
This event is the telemetry client ARIA heartbeat.
### TelClientSynthetic.HeartBeat_Seville_5
This event is sent by the universal telemetry client (UTC) as a heartbeat signal for Sense.
### TelClientSynthetic.TailoredExperiencesWithDiagnosticDataUpdate
This event is triggered when UTC determines it needs to send information about personalization settings of the user.
## DxgKernelTelemetry events
### DxgKrnlTelemetry.GPUAdapterInventoryV2
@ -2571,6 +2688,31 @@ The following fields are available:
- **UserInputTime** The amount of time the loader application spent waiting for user input.
### Microsoft.Windows.Kernel.Power.OSStateChange
This event denotes the transition between operating system states (e.g., On, Off, Sleep, etc.). By using this event with Windows Analytics, organizations can use this to help monitor reliability and performance of managed devices.
The following fields are available:
- **AcPowerOnline** If "TRUE," the device is using AC power. If "FALSE," the device is using battery power.
- **ActualTransitions** This will give the actual transitions number
- **BatteryCapacity** Maximum battery capacity in mWh
- **BatteryCharge** Current battery charge as a percentage of total capacity
- **BatteryDischarging** Flag indicating whether the battery is discharging or charging
- **BootId** Monotonically increasing boot id, reset on upgrades.
- **BootTimeUTC** Boot time in UTC  file time.
- **EventSequence** Monotonically increasing event number for OsStateChange events logged during this boot.
- **LastStateTransition** The previous state transition on the device.
- **LastStateTransitionSub** The previous state subtransition on the device.
- **StateDurationMS** Milliseconds spent in the state being departed
- **StateTransition** Transition type PowerOn=1, Shutdown, Suspend, Resume, Heartbeat.
- **StateTransitionSub** Subtransition type Normal=1, Reboot, Hiberboot, Standby, Hibernate, ConnectedStandby, Reserved, HybridSleep.
- **TotalDurationMS** Total time device has been up in milliseconds in wall clock time.
- **TotalUptimeMS** Total time device has been on (not in a suspended state) in milliseconds.
- **TransitionsToOn** TransitionsToOn increments each time the system successfully completes a system sleep event, and is sent as part of the PowerTransitionEnd ETW event.
- **UptimeDeltaMS** Duration in last state in milliseconds.
## OneDrive events
### Microsoft.OneDrive.Sync.Setup.APIOperation
@ -2627,43 +2769,6 @@ The following fields are available:
- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation.
### Microsoft.OneDrive.Sync.Setup.SetupCommonData
This event contains basic OneDrive configuration data that helps to diagnose failures.
The following fields are available:
- **AppVersion** The version of the app.
- **BuildArchitecture** Is the architecture x86 or x64?
- **Environment** Is the device on the production or int service?
- **MachineGuid** The CEIP machine ID.
- **Market** Which market is this in?
- **MSFTInternal** Is this an internal Microsoft device?
- **OfficeVersionString** The version of Office that is installed.
- **OSDeviceName** Only if the device is internal to Microsoft, the device name.
- **OSUserName** Only if the device is internal to Microsoft, the user name.
- **UserGuid** The CEIP user ID.
### Microsoft.OneDrive.Sync.Updater.CommonData
This event contains basic OneDrive configuration data that helps to diagnose failures.
The following fields are available:
- **AppVersion** The version of the app.
- **BuildArch** Is the architecture x86 or x64?
- **Environment** Is the device on the production or int service?
- **IsMSFTInternal** TRUE if the device is an internal Microsoft device.
- **MachineGuid** The GUID (Globally Unique ID) that identifies the machine for the CEIP (Customer Experience Improvement Program).
- **Market** Which market is this in?
- **OfficeVersion** The version of Office that is installed.
- **OneDriveDeviceId** The OneDrive device ID.
- **OSDeviceName** Only if the device is internal to Microsoft, the device name.
- **OSUserName** Only if the device is internal to Microsoft, the user name.
- **UserGuid** The GUID (Globally Unique ID) of the user currently logged in.
### Microsoft.OneDrive.Sync.Updater.ComponentInstallState
This event includes basic data about the installation state of dependent OneDrive components.
@ -2750,48 +2855,11 @@ The following fields are available:
- **winInetError** The HResult of the operation.
## Other events
### Microsoft.Xbox.XamTelemetry.AppActivationError
This event indicates whether the system detected an activation error in the app.
The following fields are available:
- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app.
- **AppId** The Xbox LIVE Title ID.
- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate.
- **Result** The HResult error.
- **UserId** The Xbox LIVE User ID (XUID).
### Microsoft.Xbox.XamTelemetry.AppActivity
This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc.
The following fields are available:
- **AppActionId** The ID of the application action.
- **AppCurrentVisibilityState** The ID of the current application visibility state.
- **AppId** The Xbox LIVE Title ID of the app.
- **AppPackageFullName** The full name of the application package.
- **AppPreviousVisibilityState** The ID of the previous application visibility state.
- **AppSessionId** The application session ID.
- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa).
- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application.
- **DurationMs** The amount of time (in milliseconds) since the last application state transition.
- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license.
- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc).
- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license.
- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application.
- **UserId** The XUID (Xbox User ID) of the current user.
## Remediation events
### Microsoft.Windows.Remediation.Applicable
This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy.
This event indicates a remedial plug-in is applicable if/when such a plug-in is detected. This is used to ensure Windows is up to date.
The following fields are available:
@ -2814,7 +2882,7 @@ The following fields are available:
- **HResult** The HRESULT for detection or perform action phases of the plugin.
- **IsAppraiserLatestResult** The HRESULT from the appraiser task.
- **IsConfigurationCorrected** Indicates whether the configuration of SIH task was successfully corrected.
- **LastHresult** The HResult of the operation.
- **LastHresult** The HRESULT for detection or perform action phases of the plugin.
- **LastRun** The date of the most recent SIH run.
- **NextRun** Date of the next scheduled SIH run.
- **PackageVersion** The version of the current remediation package.
@ -2875,7 +2943,7 @@ The following fields are available:
### Microsoft.Windows.Remediation.Completed
This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy.
This event enables completion tracking of a process that remediates issues preventing security and quality updates.
The following fields are available:
@ -2964,9 +3032,123 @@ The following fields are available:
- **WindowsSxsTempFolderSizeInMegabytes** The size of the WinSxS (Windows Side-by-Side) Temp folder, measured in Megabytes.
### Microsoft.Windows.Remediation.DiskCleanUnExpectedErrorEvent
This event indicates that an unexpected error occurred during an update and provides information to help address the issue.
The following fields are available:
- **CV** The Correlation vector.
- **ErrorMessage** A description of any errors encountered while the plug-in was running.
- **GlobalEventCounter** The client-side counter that indicates ordering of events.
- **Hresult** The result of the event execution.
- **PackageVersion** The version number of the current remediation package.
- **SessionGuid** GUID associated with a given execution of sediment pack.
### Microsoft.Windows.Remediation.Error
This event indicates a Sediment Pack error (update stack failure) has been detected and provides information to help address the issue.
The following fields are available:
- **HResult** The result of the event execution.
- **Message** A message containing information about the error that occurred.
- **PackageVersion** The version number of the current remediation package.
### Microsoft.Windows.Remediation.FallbackError
This event indicates an error when Self Update results in a Fallback and provides information to help address the issue.
The following fields are available:
- **s0** Indicates the Fallback error level. See [Microsoft.Windows.Remediation.wilResult](#microsoftwindowsremediationwilresult).
- **wilResult** The result of the Windows Installer Logging. See [wilResult](#wilresult).
### Microsoft.Windows.Remediation.RemediationNotifyUserFixIssuesInvokeUIEvent
This event occurs when the Notify User task executes and provides information about the cause of the notification.
The following fields are available:
- **CV** The Correlation vector.
- **GlobalEventCounter** The client-side counter that indicates ordering of events.
- **PackageVersion** The version number of the current remediation package.
- **RemediationNotifyUserFixIssuesCallResult** The result of calling the USO (Update Session Orchestrator) sequence steps.
- **RemediationNotifyUserFixIssuesUsoDownloadCalledHr** The error code from the USO (Update Session Orchestrator) download call.
- **RemediationNotifyUserFixIssuesUsoInitializedHr** The error code from the USO (Update Session Orchestrator) initialize call.
- **RemediationNotifyUserFixIssuesUsoProxyBlanketHr** The error code from the USO (Update Session Orchestrator) proxy blanket call.
- **RemediationNotifyUserFixIssuesUsoSetSessionHr** The error code from the USO (Update Session Orchestrator) session call.
### Microsoft.Windows.Remediation.RemediationShellFailedAutomaticAppUpdateModifyEventId
This event provides the modification of the date on which an Automatic App Update scheduled task failed and provides information about the failure.
The following fields are available:
- **CV** The Correlation Vector.
- **GlobalEventCounter** The client-side counter that indicates ordering of events.
- **hResult** The result of the event execution.
- **PackageVersion** The version number of the current remediation package.
### Microsoft.Windows.Remediation.RemediationShellUnexpectedExceptionId
This event identifies the remediation plug-in that returned an unexpected exception and provides information about the exception.
The following fields are available:
- **CV** The Correlation Vector.
- **GlobalEventCounter** The client-side counter that indicates ordering of events.
- **PackageVersion** The version number of the current remediation package.
- **RemediationShellUnexpectedExceptionId** The ID of the remediation plug-in that caused the exception.
### Microsoft.Windows.Remediation.RemediationUHEnableServiceFailed
This event tracks the health of key update (Remediation) services and whether they are enabled.
The following fields are available:
- **CV** The Correlation Vector.
- **GlobalEventCounter** The client-side counter that indicates ordering of events.
- **hResult** The result of the event execution.
- **PackageVersion** The version number of the current remediation package.
- **serviceName** The name associated with the operation.
### Microsoft.Windows.Remediation.RemediationUpgradeSucceededDataEventId
This event returns information about the upgrade upon success to help ensure Windows is up to date.
The following fields are available:
- **AppraiserPlugin** TRUE / FALSE depending on whether the Appraiser plug-in task fix was successful.
- **ClearAUOptionsPlugin** TRUE / FALSE depending on whether the AU (Auto Updater) Options registry keys were successfully deleted.
- **CV** The Correlation Vector.
- **DatetimeSyncPlugin** TRUE / FALSE depending on whether the DateTimeSync plug-in ran successfully.
- **DiskCleanupPlugin** TRUE / FALSE depending on whether the DiskCleanup plug-in ran successfully.
- **GlobalEventCounter** The client-side counter that indicates ordering of events.
- **NoisyHammerPlugin** TRUE / FALSE depending on whether the NoisyHammer plug-in ran successfully.
- **PackageVersion** The version number of the current remediation package.
- **RebootRequiredPlugin** TRUE / FALSE depending on whether the Reboot plug-in ran successfully.
- **RemediationNotifyUserFixIssuesPlugin** TRUE / FALSE depending on whether the User Fix Issues plug-in ran successfully
- **RemediationPostUpgradeDiskSpace** The amount of disk space available after the upgrade.
- **RemediationPostUpgradeHibernationSize** The size of the Hibernation file after the upgrade.
- **ServiceHealthPlugin** A list of services updated by the plug-in.
- **SIHHealthPlugin** TRUE / FALSE depending on whether the SIH Health plug-in ran successfully.
- **StackDataResetPlugin** TRUE / FALSE depending on whether the update stack completed successfully.
- **TaskHealthPlugin** A list of tasks updated by the plug-in.
- **UpdateApplicabilityFixerPlugin** TRUE / FALSE depending on whether the update applicability fixer plug-in completed successfully.
- **WindowsUpdateEndpointPlugin** TRUE / FALSE depending on whether the Windows Update Endpoint was successful.
### Microsoft.Windows.Remediation.Started
This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy.
This event reports whether a plug-in started, to help ensure Windows is up to date.
The following fields are available:
@ -2977,6 +3159,31 @@ The following fields are available:
- **Result** This is the HRESULT for detection or perform action phases of the plugin.
### Microsoft.Windows.Remediation.wilResult
This event provides Self Update information to help keep Windows up to date.
The following fields are available:
- **callContext** A list of diagnostic activities containing this error.
- **currentContextId** An identifier for the newest diagnostic activity containing this error.
- **currentContextMessage** A message associated with the most recent diagnostic activity containing this error (if any).
- **currentContextName** Name of the most recent diagnostic activity containing this error.
- **failureCount** Number of failures seen within the binary where the error occurred.
- **failureId** The identifier assigned to this failure.
- **failureType** Indicates the type of failure observed (exception, returned, error, logged error, or fail fast).
- **fileName** The source code file name where the error occurred.
- **function** The name of the function where the error occurred.
- **hresult** The failure error code.
- **lineNumber** The Line Number within the source code file where the error occurred.
- **message** A message associated with the failure (if any).
- **module** The name of the binary module in which the error occurred.
- **originatingContextId** The identifier for the oldest diagnostic activity containing this error.
- **originatingContextMessage** A message associated with the oldest diagnostic activity containing this error (if any).
- **originatingContextName** The name of the oldest diagnostic activity containing this error.
- **threadId** The identifier of the thread the error occurred on.
## Sediment events
### Microsoft.Windows.Sediment.Info.AppraiserData
@ -3326,17 +3533,15 @@ The following fields are available:
- **Time** The system time at which the event occurred.
## Sediment Launcher events
### Microsoft.Windows.SedimentLauncher.Applicable
This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy.
Indicates whether a given plugin is applicable.
The following fields are available:
- **CV** Correlation vector.
- **DetectedCondition** Boolean true if detect condition is true and perform action will be run.
- **GlobalEventCounter** Client side counter which indicates ordering of events.
- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
- **IsSelfUpdateEnabledInOneSettings** True if self update enabled in Settings.
- **IsSelfUpdateNeeded** True if self update needed by device.
- **PackageVersion** Current package version of Remediation.
@ -3346,43 +3551,97 @@ The following fields are available:
### Microsoft.Windows.SedimentLauncher.Completed
This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy.
Indicates whether a given plugin has completed its work.
The following fields are available:
- **CV** Correlation vector.
- **FailedReasons** Concatenated list of failure reasons.
- **GlobalEventCounter** Client side counter which indicates ordering of events.
- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
- **PackageVersion** Current package version of Remediation.
- **PluginName** Name of the plugin specified for each generic plugin event.
- **Result** This is the HRESULT for detection or perform action phases of the plugin.
- **SedLauncherExecutionResult** HRESULT for one execution of the Sediment Launcher.
### Microsoft.Windows.SedimentLauncher.Error
This event indicates an error occurred during the execution of the plug-in. The information provided helps ensure future upgrade/update attempts are more successful.
The following fields are available:
- **HResult** The result for the Detection or Perform Action phases of the plug-in.
- **Message** A message containing information about the error that occurred (if any).
- **PackageVersion** The version number of the current remediation package.
### Microsoft.Windows.SedimentLauncher.FallbackError
This event indicates that an error occurred during execution of the plug-in fallback.
The following fields are available:
- **s0** Error occurred during execution of the plugin fallback. See [Microsoft.Windows.SedimentLauncher.wilResult](#microsoftwindowssedimentlauncherwilresult).
### Microsoft.Windows.SedimentLauncher.Information
This event provides general information returned from the plug-in.
The following fields are available:
- **HResult** This is the HRESULT for detection or perform action phases of the plugin.
- **Message** Information message returned from a plugin containing only information internal to the plugins execution.
- **PackageVersion** Current package version of Remediation.
### Microsoft.Windows.SedimentLauncher.Started
This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy.
This event indicates that a given plug-in has started.
The following fields are available:
- **CV** Correlation vector.
- **GlobalEventCounter** Client side counter which indicates ordering of events.
- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
- **PackageVersion** Current package version of Remediation.
- **PluginName** Name of the plugin specified for each generic plugin event.
- **Result** This is the HRESULT for detection or perform action phases of the plugin.
## Sediment Service events
### Microsoft.Windows.SedimentLauncher.wilResult
This event provides the result from the Windows internal library.
The following fields are available:
- **callContext** List of telemetry activities containing this error.
- **currentContextId** Identifier for the newest telemetry activity containing this error.
- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any).
- **currentContextName** Name of the newest telemetry activity containing this error.
- **failureCount** Number of failures seen within the binary where the error occurred.
- **failureId** Identifier assigned to this failure.
- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast).
- **fileName** Source code file name where the error occurred.
- **function** Name of the function where the error occurred.
- **hresult** Failure error code.
- **lineNumber** Line number within the source code file where the error occurred.
- **message** Custom message associated with the failure (if any).
- **module** Name of the binary where the error occurred.
- **originatingContextId** Identifier for the oldest telemetry activity containing this error.
- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any).
- **originatingContextName** Name of the oldest telemetry activity containing this error.
- **threadId** Identifier of the thread the error occurred on.
### Microsoft.Windows.SedimentService.Applicable
This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date.
This event indicates whether a given plug-in is applicable.
The following fields are available:
- **CV** Correlation vector.
- **DetectedCondition** Determine whether action needs to run based on device properties.
- **GlobalEventCounter** Client side counter which indicates ordering of events.
- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
- **IsSelfUpdateEnabledInOneSettings** Indicates if self update is enabled in One Settings.
- **IsSelfUpdateNeeded** Indicates if self update is needed.
- **PackageVersion** Current package version of Remediation.
@ -3392,13 +3651,13 @@ The following fields are available:
### Microsoft.Windows.SedimentService.Completed
This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date.
This event indicates whether a given plug-in has completed its work.
The following fields are available:
- **CV** Correlation vector.
- **FailedReasons** List of reasons when the plugin action failed.
- **GlobalEventCounter** Client side counter which indicates ordering of events.
- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
- **PackageVersion** Current package version of Remediation.
- **PluginName** Name of the plugin specified for each generic plugin event.
- **Result** This is the HRESULT for detection or perform action phases of the plugin.
@ -3412,9 +3671,40 @@ The following fields are available:
- **SedimentServiceTotalIterations** Number of 5 second iterations service will wait before running again.
### Microsoft.Windows.SedimentService.Error
This event indicates whether an error condition occurred in the plug-in.
The following fields are available:
- **HResult** This is the HRESULT for detection or perform action phases of the plugin.
- **Message** Custom message associated with the failure (if any).
- **PackageVersion** Current package version of Remediation.
### Microsoft.Windows.SedimentService.FallbackError
This event indicates whether an error occurred for a fallback in the plug-in.
The following fields are available:
- **s0** Event returned when an error occurs for a fallback in the plugin. See [Microsoft.Windows.SedimentService.wilResult](#microsoftwindowssedimentservicewilresult).
### Microsoft.Windows.SedimentService.Information
This event provides general information returned from the plug-in.
The following fields are available:
- **HResult** This is the HRESULT for detection or perform action phases of the plugin.
- **Message** Custom message associated with the failure (if any).
- **PackageVersion** Current package version of Remediation.
### Microsoft.Windows.SedimentService.Started
This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date.
This event indicates a specified plug-in has started. This information helps ensure Windows is up to date.
The following fields are available:
@ -3425,6 +3715,31 @@ The following fields are available:
- **Result** This is the HRESULT for Detection or Perform Action phases of the plugin.
### Microsoft.Windows.SedimentService.wilResult
This event provides the result from the Windows internal library.
The following fields are available:
- **callContext** List of telemetry activities containing this error.
- **currentContextId** Identifier for the newest telemetry activity containing this error.
- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any).
- **currentContextName** Name of the newest telemetry activity containing this error.
- **failureCount** Number of failures seen within the binary where the error occurred.
- **failureId** Identifier assigned to this failure.
- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast).
- **fileName** Source code file name where the error occurred.
- **function** Name of the function where the error occurred.
- **hresult** Failure error code.
- **lineNumber** Line number within the source code file where the error occurred.
- **message** Custom message associated with the failure (if any).
- **module** Name of the binary where the error occurred.
- **originatingContextId** Identifier for the oldest telemetry activity containing this error.
- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any).
- **originatingContextName** Name of the oldest telemetry activity containing this error.
- **threadId** Identifier of the thread the error occurred on.
## Setup events
### SetupPlatformTel.SetupPlatformTelActivityEvent
@ -3719,7 +4034,7 @@ The following fields are available:
- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download.
- **RevisionNumber** Identifies the revision number of this specific piece of content.
- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
- **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
- **ShippingMobileOperator** The mobile operator that a device shipped on.
- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult).
@ -3762,6 +4077,30 @@ The following fields are available:
- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
### SoftwareUpdateClientTelemetry.DownloadHeartbeat
This event allows tracking of ongoing downloads and contains data to explain the current state of the download
The following fields are available:
- **BundleID** Identifier associated with the specific content bundle. If this value is found, it shouldn't report as all zeros
- **BytesTotal** Total bytes to transfer for this content
- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat
- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat
- **CurrentError** Last (transient) error encountered by the active download
- **DownloadFlags** Flags indicating if power state is ignored
- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing)
- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered"
- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any
- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any
- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby)
- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one
- **ResumeCount** Number of times this active download has resumed from a suspended state
- **ServiceID** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc)
- **SuspendCount** Number of times this active download has entered a suspended state
- **SuspendReason** Last reason for why this active download entered a suspended state
### SoftwareUpdateClientTelemetry.Install
This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date.
@ -3891,7 +4230,7 @@ The following fields are available:
- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable.
- **RevisionId** The revision ID for a specific piece of content.
- **RevisionNumber** The revision number for a specific piece of content.
- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Windows Store
- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store
- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate.
- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate.
- **SHA256OfTimestampToken** A base64-encoded string of hash of the timestamp token blob.
@ -4296,9 +4635,9 @@ The following fields are available:
- **Setup360Extended** Detailed information about the phase or action when the potential failure occurred.
- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
- **TestId** ID that uniquely identifies a group of events.
- **WuId** Windows Update client ID.
@ -4460,7 +4799,7 @@ The following fields are available:
- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
@ -4488,6 +4827,45 @@ The following fields are available:
- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson).
### WerTraceloggingProvider.AppCrashEvent
This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record.
The following fields are available:
- **AppName** The name of the app that crashed.
- **AppSessionGuid** The unique ID used as a correlation vector for process instances in the telemetry backend.
- **AppTimeStamp** The date time stamp of the app.
- **AppVersion** The version of the app that crashed.
- **ExceptionCode** The exception code returned by the process that crashed.
- **ExceptionOffset** The address where the exception occurred.
- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, do not terminate the process after reporting.
- **ModName** The module name of the process that crashed.
- **ModTimeStamp** The date time stamp of the module.
- **ModVersion** The module version of the process that crashed.
- **PackageFullName** The package name if the crashing application is packaged.
- **PackageRelativeAppId** The relative application ID if the crashing application is packaged.
- **ProcessArchitecture** The architecture of the system.
- **ProcessCreateTime** The time of creation of the process that crashed.
- **ProcessId** The ID of the process that crashed.
- **ReportId** A unique ID used to identify the report. This can be used to track the report.
- **TargetAppId** The target app ID.
- **TargetAppVer** The target app version.
## Windows Phone events
### Microsoft.Windows.Phone.Telemetry.OnBoot.RebootReason
This event lists the reboot reason when an app is going to reboot.
The following fields are available:
- **BootId** The boot ID.
- **BoottimeSinceLastShutdown** The boot time since the last shutdown.
- **RebootReason** Reason for the reboot.
## Windows Store events
### Microsoft.Windows.Store.Partner.ReportApplication
@ -4496,6 +4874,17 @@ Report application event for Windows Store client.
### Microsoft.Windows.Store.StoreActivating
This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date.
The following fields are available:
- **correlationVectorRoot** Identifies multiple events within a session/sequence. Initial value before incrementation or extension.
- **protocolUri** Protocol URI used to activate the store.
- **reason** The reason for activating the store.
### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation
This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure.
@ -4519,7 +4908,7 @@ The following fields are available:
- **ProductId** The identity of the package or packages being installed.
- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled.
- **UserAttemptNumber** The total number of user attempts at installation before it was canceled.
- **WUContentId** Licensing identity of this package.
- **WUContentId** The Windows Update content ID.
### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds
@ -5275,7 +5664,7 @@ The following fields are available:
- **EventPublishedTime** Time when this event was generated.
- **flightID** The specific ID of the Windows Insider build.
- **revisionNumber** Update revision number.
- **updateId** Unique Update ID.
- **updateId** Unique Windows Update ID.
- **updateScenarioType** Update session type.
- **UpdateStatus** Last status of update.
- **wuDeviceid** Unique Device ID.
@ -5470,6 +5859,19 @@ The following fields are available:
- **wuDeviceid** The ID of the device in which the error occurred.
### Microsoft.Windows.Update.Orchestrator.USODiagnostics
This event sends data on whether the state of the update attempt, to help keep Windows up to date.
The following fields are available:
- **errorCode** result showing success or failure of current update
- **revisionNumber** Unique revision number of the Update
- **updateId** Unique ID for Update
- **updateState** Progress within an update state
- **wuDeviceid** Unique ID for Device
### Microsoft.Windows.Update.Orchestrator.UsoSession
This event represents the state of the USO service at start and completion.
@ -5598,4 +6000,41 @@ This event signals the completion of the setup process. It happens only once dur
## XBOX events
### Microsoft.Xbox.XamTelemetry.AppActivationError
This event indicates whether the system detected an activation error in the app.
The following fields are available:
- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app.
- **AppId** The Xbox LIVE Title ID.
- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate.
- **Result** The HResult error.
- **UserId** The Xbox LIVE User ID (XUID).
### Microsoft.Xbox.XamTelemetry.AppActivity
This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc.
The following fields are available:
- **AppActionId** The ID of the application action.
- **AppCurrentVisibilityState** The ID of the current application visibility state.
- **AppId** The Xbox LIVE Title ID of the app.
- **AppPackageFullName** The full name of the application package.
- **AppPreviousVisibilityState** The ID of the previous application visibility state.
- **AppSessionId** The application session ID.
- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa).
- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application.
- **DurationMs** The amount of time (in milliseconds) since the last application state transition.
- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license.
- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc).
- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license.
- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application.
- **UserId** The XUID (Xbox User ID) of the current user.

701
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
View File

File diff suppressed because it is too large Load Diff

925
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
View File

File diff suppressed because it is too large Load Diff

1369
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
View File

File diff suppressed because it is too large Load Diff

2
windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
View File

@ -365,7 +365,7 @@ Use the appropriate value in the table below when you configure the management p
| Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | **3** |
> [!NOTE]
> When the User Configuration policy is set for Diagnostic Data, this will override the Computer Configuration setting.
> When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used.
### Use Group Policy to set the diagnostic data level

2
windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
ms.date: 10/16/2017
ms.date: 11/9/2018
author: danihalfin
ms.author: daniha
---

3
windows/privacy/windows-personal-data-services-configuration.md
View File

@ -59,6 +59,9 @@ This setting determines the amount of Windows diagnostic data sent to Microsoft.
>| **Default setting** | 2 - Enhanced |
>| **Recommended** | 2 - Enhanced |
>[!NOTE]
>When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used.
#### Registry
> [!div class="mx-tableFixed"]

18
windows/security/identity-protection/access-control/local-accounts.md
View File

@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.date: 07/30/2018
ms.date: 12/10/2018
---
# Local Accounts
@ -16,15 +16,8 @@ ms.date: 07/30/2018
This reference topic for the IT professional describes the default local user accounts for servers, including how to manage these built-in accounts on a member or standalone server. This topic does not describe the default local user accounts for an Active Directory domain controller.
**Did you mean…**
- [Active Directory Accounts](active-directory-accounts.md)
- [Microsoft Accounts](microsoft-accounts.md)
## <a href="" id="about-local-user-accounts-"></a>About local user accounts
Local user accounts are stored locally on the server. These accounts can be assigned rights and permissions on a particular server, but on that server only. Local user accounts are security principals that are used to secure and manage access to the resources on a standalone or member server for services or users.
This topic describes the following:
@ -475,14 +468,9 @@ Passwords can be randomized by:
- Purchasing and implementing an enterprise tool to accomplish this task. These tools are commonly referred to as "privileged password management" tools.
- Configuring, customizing and implementing a free tool to accomplish this task. A sample tool with source code is available at [Solution for management of built-in Administrator accounts password via GPO](https://code.msdn.microsoft.com/windowsdesktop/Solution-for-management-of-ae44e789).
- Configuring [Local Administrator Password Solution (LAPS)](https://www.microsoft.com/download/details.aspx?id=46899) to accomplish this task.
**Note**  
This tool is not supported by Microsoft. There are some important considerations to make before deploying this tool because this tool requires client-side extensions and schema extensions to support password generation and storage.
 
- Create and implement a custom script or solution to randomize local account passwords.
- Creating and implementing a custom script or solution to randomize local account passwords.
## <a href="" id="dhcp-references"></a>See also

BIN
windows/security/information-protection/bitlocker/images/kernel-dma-protection-security-center.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 142 KiB

BIN
windows/security/information-protection/images/kernel-dma-protection-security-center.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 89 KiB

BIN
windows/security/information-protection/images/kernel-dma-protection-security-center.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 130 KiB

12
windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
View File

@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: aadake
ms.date: 10/03/2018
ms.date: 12/08/2018
---
# Kernel DMA Protection for Thunderbolt™ 3
@ -65,11 +65,17 @@ Systems released prior to Windows 10 version 1803 do not support Kernel DMA Prot
Systems running Windows 10 version 1803 that do support Kernel DMA Protection do have this security feature enabled automatically by the OS with no user or IT admin configuration required.
**To check if a device supports Kernel DMA Protection**
### Using Security Center
Beginning with Wndows 10 version 1809, you can use Security Center to check if Kernel DMA Protection is enabled. Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation details** > **Memory access protection**.
![Kernel DMA protection in Security Center](bitlocker/images/kernel-dma-protection-security-center.png)
### Using System information
1. Launch MSINFO32.exe in a command prompt, or in the Windows search bar.
2. Check the value of **Kernel DMA Protection**.
![Kernel DMA protection](bitlocker/images/kernel-dma-protection.png)
![Kernel DMA protection in System Information](bitlocker/images/kernel-dma-protection.png)
3. If the current state of **Kernel DMA Protection** is OFF and **Virtualization Technology in Firmware** is NO:
- Reboot into BIOS settings
- Turn on Intel Virtualization Technology.

26
windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 09/03/2018
ms.date: 12/10/2018
---
# Configure and manage Windows Defender Antivirus with the mpcmdrun.exe command-line tool
@ -37,16 +37,20 @@ MpCmdRun.exe [command] [-options]
Command | Description
:---|:---
\- ? **or** -h | Displays all available options for the tool
\-Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]][-Timeout <days>] | Scans for malicious software
\-Trace [-Grouping #] [-Level #]| Starts diagnostic tracing
\-GetFiles | Collects support information
\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
\-AddDynamicSignature [-Path] | Loads a dynamic signature
\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
\-ValidateMapsConnection | Used to validate connection to the [cloud-delivered protection service](configure-network-connections-windows-defender-antivirus.md)
\-SignatureUpdate [-UNC [-Path <path>]] | Checks for new definition updates
\-? **or** -h | Displays all available options for this tool
\-Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]] [-Timeout <days>] [-Cancel] | Scans for malicious software
\-Trace [-Grouping #] [-Level #] | Starts diagnostic tracing
\-GetFiles | Collects support information
\-GetFilesDiagTrack | Same as Getfiles but outputs to temporary DiagTrack folder
\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
\-RemoveDefinitions [-DynamicSignatures] | Removes only the dynamically downloaded signatures
\-SignatureUpdate [-UNC \| -MMPC] | Checks for new definition updates
\-Restore [-ListAll \| [[-Name <name>] [-All] \| [-FilePath <filePath>]] [-Path <path>]] | Restores or lists quarantined item(s)
\-AddDynamicSignature [-Path] | Loads a dynamic signature
\-ListAllDynamicSignatures | Lists the loaded dynamic signatures
\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
\-CheckExclusion -path <path> | Checks whether a path is excluded
## Related topics

19
windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 09/03/2018
ms.date: 12/10/2018
---
# Configure and validate exclusions based on file extension and folder location
@ -264,7 +264,7 @@ The following table describes how the wildcards can be used and provides some ex
## Review the list of exclusions
You can retrieve the items in the exclusion list with [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), PowerShell, or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
You can retrieve the items in the exclusion list with [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), MpCmdRun, PowerShell, or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
>[!IMPORTANT]
>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
@ -276,7 +276,18 @@ If you use PowerShell, you can retrieve the list in two ways:
- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
**Review the list of exclusions alongside all other Windows Defender Antivirus preferences:**
**Validate the exclusion list by using MpCmdRun:**
To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
```DOS
MpCmdRun.exe -CheckExclusion -path <path>
```
>[!NOTE]
>Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
**Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:**
Use the following cmdlet:
@ -290,7 +301,7 @@ In the following example, the items contained in the `ExclusionExtension` list a
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
**Retrieve a specific exclusions list:**
**Retrieve a specific exclusions list by using PowerShell:**
Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable:

20
windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 09/03/2018
ms.date: 12/10/2018
---
# Configure exclusions for files opened by processes
@ -147,14 +147,26 @@ Environment variables | The defined variable will be populated as a path when th
## Review the list of exclusions
You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
If you use PowerShell, you can retrieve the list in two ways:
- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
**Review the list of exclusions alongside all other Windows Defender Antivirus preferences:**
**Validate the exclusion list by using MpCmdRun:**
To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
```DOS
MpCmdRun.exe -CheckExclusion -path <path>
```
>[!NOTE]
>Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
**Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:**
Use the following cmdlet:
@ -164,7 +176,7 @@ Get-MpPreference
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
**Retrieve a specific exclusions list:**
**Retrieve a specific exclusions list by using PowerShell:**
Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable:

5
windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 09/03/2018
ms.date: 12/10/2018
---
# Configure scheduled quick or full Windows Defender Antivirus scans
@ -42,7 +42,6 @@ To configure the Group Policy settings described in this topic:
6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topics.
## Quick scan versus full scan and custom scan
@ -66,6 +65,8 @@ A custom scan allows you to specify the files and folders to scan, such as a USB
Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI to configure scheduled scans.
>[!NOTE]
>If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Windows Defender Antivirus will run a full scan at the next scheduled time.
**Use Group Policy to schedule scans:**

2
windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md
View File

@ -50,7 +50,7 @@ AppLocker helps administrators control how users can access and use files, such
You can administer AppLocker policies by using the Group Policy Management Console to create or edit a Group Policy Object (GPO), or to create or edit an AppLocker policy on a local computer by using the Local Group Policy Editor snap-in or the Local Security Policy snap-in (secpol.msc).
### Administer Applocker using Group Policy
### Administer AppLocker using Group Policy
You must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. Also, the Group Policy Management feature must be installed on the computer.

2
windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -50,7 +50,6 @@ detectionSource | string | Detection source.
threatFamilyName | string | Threat family.
title | string | Alert title.
description | String | Description of the threat, identified by the alert.
recommendedAction | String | Action recommended for handling the suspected threat.
alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created.
lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine.
firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine.
@ -74,7 +73,6 @@ machineId | String | ID of a [machine](machine-windows-defender-advanced-threat-
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",

3
windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md
View File

@ -26,7 +26,8 @@ ms.date: 11/20/2018
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink)
>[!TIP]
> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
You might want to experience Windows Defender ATP before you onboard more than a few machines to the service. To do this, you can run controlled attack simulations on a few test machines. After running the simulated attacks, you can review how Windows Defender ATP surfaces malicious activity and explore how it enables an efficient response.

4
windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md
View File

@ -84,8 +84,8 @@ Content-Length: application/json
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"severity": "Low",
"title": "test alert",
"description": "redalert",
"recommendedAction": "white alert",
"description": "test alert",
"recommendedAction": "test alert",
"eventTime": "2018-08-03T16:45:21.7115183Z",
"reportId": "20776",
"category": "None"

21
windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 10/08/2018
ms.date: 12/10/2018
---
# Enable SIEM integration in Windows Defender ATP
@ -20,20 +20,29 @@ ms.date: 10/08/2018
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
Enable security information and event management (SIEM) integration so you can pull alerts from Windows Defender Security Center using your SIEM solution or by connecting directly to the alerts REST API.
## Prerequisites
- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is typically someone with a **Global administrator** role.
- During the initial activation, a pop-up screen is displayed for credentials to be entered. Make sure that you allow pop-ups for this site.
## Enabling SIEM integration
1. In the navigation pane, select **Settings** > **SIEM**.
![Image of SIEM integration from Settings menu](images/atp-siem-integration.png)
![Image of SIEM integration from Settings menu](images/enable_siem.png)
>[!TIP]
>If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability.
2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant.
> [!WARNING]
>The client secret is only displayed once. Make sure you keep a copy of it in a safe place.<br>
For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret).
> [!WARNING]
>The client secret is only displayed once. Make sure you keep a copy of it in a safe place.<br>
For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret).
![Image of SIEM integration from Settings menu](images/siem_details.png)
3. Choose the SIEM type you use in your organization.

3
windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md
View File

@ -100,8 +100,7 @@ Content-type: application/json
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"description": "Some description",
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",

3
windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md
View File

@ -87,8 +87,7 @@ Here is an example of the response.
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"description": "Some description",
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",

6
windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -100,8 +100,7 @@ Here is an example of the response.
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"description": "Some description",
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
@ -121,8 +120,7 @@ Here is an example of the response.
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"description": "Some description",
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",

6
windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -96,8 +96,7 @@ Content-type: application/json
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"description": "Some description",
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
@ -117,8 +116,7 @@ Content-type: application/json
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"description": "Some description",
"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
"firstEventTime": "2018-11-24T16:17:50.0948658Z",
"lastEventTime": "2018-11-24T16:18:01.809871Z",

3
windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -94,8 +94,7 @@ Content-type: application/json
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"description": "Some description",
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",

3
windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -93,8 +93,7 @@ Content-type: application/json
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"description": "Some description",
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",

3
windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -93,8 +93,7 @@ Content-type: application/json
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"description": "Some description",
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",

3
windows/security/threat-protection/windows-defender-atp/get-started.md
View File

@ -20,7 +20,8 @@ ms.date: 11/20/2018
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
>[!TIP]
> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
Learn about the minimum requirements and initial steps you need to take to get started with Windows Defender ATP.

6
windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -93,8 +93,7 @@ Content-type: application/json
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"description": "Some description",
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
@ -114,8 +113,7 @@ Content-type: application/json
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"description": "Some description",
"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
"firstEventTime": "2018-11-24T16:17:50.0948658Z",
"lastEventTime": "2018-11-24T16:18:01.809871Z",

BIN
windows/security/threat-protection/windows-defender-atp/images/enable_siem.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 49 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/siem_details.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 68 KiB

6
windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md
View File

@ -31,12 +31,12 @@ Windows Defender ATP applies two methods to discover and protect data:
## Data discovery
Windows Defender ATP automatically discovers files with Office 365 sensitivity labels on Windows devices when the feature is enabled. You can enable the Azure Information Protection integration feature from Windows Defender Security Center. For more information, see [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md#azure-information-protection).
Windows Defender ATP automatically discovers files with sensitivity labels on Windows devices when the feature is enabled. You can enable the Azure Information Protection integration feature from Windows Defender Security Center. For more information, see [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md#azure-information-protection).
![Image of settings page with Azure Information Protection](images/atp-settings-aip.png)
After enabling the Azure Information Protection integration, data discovery signals are immediately forwarded to Azure Information Protection from the device. When a file that has a sensitivity label applied is created or modified on a Windows device, Windows Defender ATP automatically reports the signal to Azure Information Protection.
After enabling the Azure Information Protection integration, data discovery signals are immediately forwarded to Azure Information Protection from the device. When a labeled file is created or modified on a Windows device, Windows Defender ATP automatically reports the signal to Azure Information Protection.
The reported signals can be viewed on the Azure Information Protection - Data discovery dashboard.
@ -70,7 +70,7 @@ InformationProtectionLogs_CL
```
**Prerequisites:**
- Customers must have a subscription for Azure Information Protection, and be using a unified labeling client.
- Customers must have a subscription for Azure Information Protection.
- Enable Azure Information Protection integration in Windows Defender Security Center:
- Go to **Settings** in Windows Defender Security Center, click on **Advanced Settings** under **General**.

2
windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md
View File

@ -40,7 +40,7 @@ id | Guid | Identity of the [Machine Action](machineaction-windows-defender-adva
type | Enum | Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution"
requestor | String | Identity of the person that executed the action.
requestorComment | String | Comment that was written when issuing the action.
status | Enum | Current status of the command. Possible values are: "InProgress", "Succeeded", "Failed", "TimeOut" and "Cancelled".
status | Enum | Current status of the command. Possible values are: "Pending", "InProgress", "Succeeded", "Failed", "TimeOut" and "Cancelled".
machineId | String | Id of the machine on which the action was executed.
creationDateTimeUtc | DateTimeOffset | The date and time when the action was created.
lastUpdateTimeUtc | DateTimeOffset | The last date and time when the action status was updated.

3
windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
View File

@ -25,7 +25,8 @@ There are some minimum requirements for onboarding machines to the service.
>[!TIP]
> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
## Licensing requirements
Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:

3
windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
View File

@ -58,9 +58,6 @@ Review the following details to verify minimum system requirements:
>Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
- Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
>[!NOTE]
>Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
- Install either [.NET framework 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)

3
windows/security/threat-protection/windows-defender-atp/overview.md
View File

@ -22,7 +22,8 @@ ms.date: 11/20/2018
Understand the concepts behind the capabilities in Windows Defender ATP so you take full advantage of the complete threat protection platform.
>[!TIP]
> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
## In this section

8
windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
View File

@ -73,7 +73,7 @@ The response will include an access token and expiry information.
```json
{
"token_type": "Bearer",
"expires_in": "3599"
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1488720683",
"not_before": "1488720683",
@ -98,7 +98,7 @@ Authorization | string | Required. The Azure AD access token in the form **Beare
### Request parameters
Use optional query parameters to specify and control the amount of data returned in a response. If you call this method without parameters, the response contains all the alerts in your organization.
Use optional query parameters to specify and control the amount of data returned in a response. If you call this method without parameters, the response contains all the alerts in your organization in the last 2 hours.
Name | Value| Description
:---|:---|:---
@ -106,7 +106,9 @@ DateTime?sinceTimeUtc | string | Defines the lower time bound alerts are retriev
DateTime?untilTimeUtc | string | Defines the upper time bound alerts are retrieved. <br> The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time. <br><br> **NOTE**: When not specified, the default value will be the current time.
string ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time. <br><br> Value should be set according to **ISO 8601** duration format <br> E.g. `ago=PT10M` will pull alerts received in the last 10 minutes.
int?limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.<br><br> **NOTE**: When not specified, all alerts available in the time range will be retrieved.
machinegroups | String | Specifies machine groups to pull alerts from . <br><br> **NOTE**: When not specified, alerts from all machine groups will be retrieved. <br><br> Example: <br><br> ```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines```
machinegroups | String | Specifies machine groups to pull alerts from. <br><br> **NOTE**: When not specified, alerts from all machine groups will be retrieved. <br><br> Example: <br><br> ```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines```
DeviceCreatedMachineTags | string | Single machine tag from the registry.
CloudCreatedMachineTags | string | Machine tags that were created in Windows Defender Security Center.
### Request example
The following example demonstrates how to retrieve all the alerts in your organization.

2
windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md
View File

@ -236,7 +236,7 @@ For a machine to be considered "well configured", it must comply to a minimum ba
>This security control is only applicable for machines with Windows 10, version 1803 or later.
#### Minimum baseline configuration setting for BitLocker
- Ensure all supported internal drives are encrypted
- Ensure all supported drives are encrypted
- Ensure that all suspended protection on drives resume protection
- Ensure that drives are compatible

3
windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md
View File

@ -98,8 +98,7 @@ Here is an example of the response.
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"description": "Some description",
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",

3
windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
View File

@ -68,7 +68,8 @@ Windows Defender ATP uses the following combination of technology built into Win
>[!TIP]
> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
**[Attack surface reduction](overview-attack-surface-reduction.md)**<br>
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.

4
windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
View File

@ -33,13 +33,13 @@ You can also get detailed reporting into events and blocks as part of Windows Se
You can create custom views in the Windows Event Viewer to only see events for specific capabilities and settings.
The easiest way to do this is to import a custom view as an XML file. You can obtain XML files for each of the features in the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w), or you can copy the XML directly from this page.
The easiest way to do this is to import a custom view as an XML file. You can copy the XML directly from this page.
You can also manually navigate to the event area that corresponds to the feature, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic for more details.
### Import an existing XML custom view
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropriate file to an easily accessible location. The following filenames are each of the custom views:
1. Create an empty .txt file and copy the XML for the custom view you want to use into the .txt file. Do this for each of the custom views you want to use. Rename the files as follows (ensure you change the type from .txt to .xml):
- Controlled folder access events custom view: *cfa-events.xml*
- Exploit protection events custom view: *ep-events.xml*
- Attack surface reduction events custom view: *asr-events.xml*

1
windows/whats-new/docfx.json
View File

@ -36,7 +36,6 @@
"ms.technology": "windows",
"ms.topic": "article",
"ms.author": "trudyha",
"ms.date": "04/05/2017",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",