diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 3562d6d9f1..2ffc227a40 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -8,7 +8,7 @@ "locale": "en-us", "monikers": [], "moniker_ranges": [], - "open_to_public_contributors": true, + "open_to_public_contributors": false, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -40,7 +40,7 @@ "locale": "en-us", "monikers": [], "moniker_ranges": [], - "open_to_public_contributors": true, + "open_to_public_contributors": false, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -56,7 +56,7 @@ "locale": "en-us", "monikers": [], "moniker_ranges": [], - "open_to_public_contributors": true, + "open_to_public_contributors": false, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -88,7 +88,7 @@ "locale": "en-us", "monikers": [], "moniker_ranges": [], - "open_to_public_contributors": true, + "open_to_public_contributors": false, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -120,7 +120,7 @@ "locale": "en-us", "monikers": [], "moniker_ranges": [], - "open_to_public_contributors": true, + "open_to_public_contributors": false, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -136,7 +136,7 @@ "locale": "en-us", "monikers": [], "moniker_ranges": [], - "open_to_public_contributors": true, + "open_to_public_contributors": false, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -200,7 +200,7 @@ "locale": "en-us", "monikers": [], "moniker_ranges": [], - "open_to_public_contributors": true, + "open_to_public_contributors": false, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -232,7 +232,7 @@ "locale": "en-us", "monikers": [], "moniker_ranges": [], - "open_to_public_contributors": true, + "open_to_public_contributors": false, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -280,7 +280,7 @@ "locale": "en-us", "monikers": [], "moniker_ranges": [], - "open_to_public_contributors": true, + "open_to_public_contributors": false, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -481,4 +481,4 @@ }, "need_generate_pdf": false, "need_generate_intellisense": false -} \ No newline at end of file +} diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 9fa201861f..baa0b106f7 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -786,11 +786,6 @@ "redirect_document_id": true }, { -"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders", -"redirect_document_id": true -}, -{ "source_path": "windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction", "redirect_document_id": true @@ -881,11 +876,6 @@ "redirect_document_id": true }, { -"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection", -"redirect_document_id": true -}, -{ "source_path": "windows/threat-protection/windows-defender-exploit-guard/prerelease.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prerelease", "redirect_document_id": true diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json index 730c9d7ac2..45cd5c2570 100644 --- a/browsers/edge/docfx.json +++ b/browsers/edge/docfx.json @@ -34,9 +34,8 @@ "ms.topic": "article", "manager": "laurawi", "ms.prod": "edge", - "feedback_system": "GitHub", - "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "feedback_system": "None", + "hideEdit": true, "_op_documentIdPathDepotMapping": { "./": { "depot_name": "Win.microsoft-edge", diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json index 934ad0e5f6..1cec2c9694 100644 --- a/browsers/internet-explorer/docfx.json +++ b/browsers/internet-explorer/docfx.json @@ -30,9 +30,8 @@ "ms.topic": "article", "manager": "laurawi", "ms.date": "04/05/2017", - "feedback_system": "GitHub", - "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "feedback_system": "None", + "hideEdit": true, "_op_documentIdPathDepotMapping": { "./": { "depot_name": "Win.internet-explorer", diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index 03234dc869..dbf40a28b2 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -23,17 +23,17 @@ ## [Set up ring based updates for HoloLens](hololens-updates.md) ## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) -# User management and access management -## [Share your HoloLens with multiple people](hololens-multiple-users.md) -## [Set up HoloLens as a kiosk (single application access)](hololens-kiosk.md) -## [Set up limited application access](hololens-kiosk.md) - # Navigating Windows Holographic ## [Start menu and mixed reality home](holographic-home.md) ## [Use your voice with HoloLens](hololens-cortana.md) ## [Find and save files](hololens-find-and-save-files.md) ## [Create, share, and view photos and video](holographic-photos-and-video.md) +# User management and access management +## [Share your HoloLens with multiple people](hololens-multiple-users.md) +## [Set up HoloLens as a kiosk (single application access)](hololens-kiosk.md) +## [Set up limited application access](hololens-kiosk.md) + # Holographic Applications ## [Try 3D Viewer](holographic-3d-viewer-beta.md) ## [Find, install, and uninstall applications](holographic-store-apps.md) @@ -53,6 +53,8 @@ # Update and recovery ## [Join the Windows Insider program](hololens-insider.md) ## [Restart, reset, or recover](hololens-recovery.md) +## [Known issues](hololens-known-issues.md) +## [Frequently asked questions](hololens-faq.md) # [Give us feedback](hololens-feedback.md) # [Change history for Microsoft HoloLens documentation](change-history-hololens.md) diff --git a/devices/hololens/holographic-3d-viewer-beta.md b/devices/hololens/holographic-3d-viewer-beta.md index 0aada1fe55..14514a5133 100644 --- a/devices/hololens/holographic-3d-viewer-beta.md +++ b/devices/hololens/holographic-3d-viewer-beta.md @@ -6,8 +6,9 @@ ms.sitesec: library author: Teresa-Motiv ms.author: v-tea ms.topic: article +audience: ITPro ms.localizationpriority: medium -ms.date: 9/3/19 +ms.date: 10/30/2019 ms.reviewer: manager: jarrettr appliesto: @@ -59,22 +60,22 @@ If you're having trouble after reading these topics, see [Troubleshooting](#trou - Scale/rotation/translation animation on individual objects - Skeletal (rigged) animation with skinning - - Maximum of 4 influences per vertex + - Maximum of 4 influences per vertex ### Materials - Lambert and Phong materials are supported, with adjustable parameters - Supported material properties for Lambert - - Main Texture (RGB + Alpha Test) - - Diffuse Color (RGB) - - Ambient Color (RGB) + - Main Texture (RGB + Alpha Test) + - Diffuse Color (RGB) + - Ambient Color (RGB) - Supported material properties for Phong - - Main Texture (RGB + Alpha Test) - - Diffuse Color (RGB) - - Ambient Color (RGB) - - Specular Color (RGB) - - Shininess - - Reflectivity + - Main Texture (RGB + Alpha Test) + - Diffuse Color (RGB) + - Ambient Color (RGB) + - Specular Color (RGB) + - Shininess + - Reflectivity - Custom materials are not supported - Maximum of one material per mesh - Maximum of one material layer diff --git a/devices/hololens/holographic-custom-apps.md b/devices/hololens/holographic-custom-apps.md index 4936fab2b7..0a86a7b37a 100644 --- a/devices/hololens/holographic-custom-apps.md +++ b/devices/hololens/holographic-custom-apps.md @@ -35,7 +35,6 @@ You can install your own applications on HoloLens either by using the Device Por > Make sure to reference any associated dependency and certificate files. 1. Select **Go**. - ![Install app form in Windows Device Portal on Microsoft HoloLens](images/deviceportal-appmanager.jpg) ### Deploying from Microsoft Visual Studio 2015 @@ -44,7 +43,6 @@ You can install your own applications on HoloLens either by using the Device Por 1. Open the project's **Properties**. 1. Select the following build configuration: **Master/x86/Remote Machine**. 1. When you select **Remote Machine**: - - Make sure the address points to the Wi-Fi IP address of your HoloLens. - Set authentication to **Universal (Unencrypted Protocol)**. 1. Build your solution. diff --git a/devices/hololens/hololens-FAQ.md b/devices/hololens/hololens-FAQ.md new file mode 100644 index 0000000000..203d5185f8 --- /dev/null +++ b/devices/hololens/hololens-FAQ.md @@ -0,0 +1,217 @@ +--- +title: Frequently asked questions about HoloLens and holograms +description: Do you have a quick question about HoloLens or interacting with holograms? This article provides a quick answer and more resources. +keywords: hololens, faq, known issue, help +ms.prod: hololens +ms.sitesec: library +author: Teresa-Motiv +ms.author: v-tea +ms.topic: article +audience: ITPro +ms.localizationpriority: medium +ms.date: 10/30/2019 +ms.reviewer: +manager: jarrettr +appliesto: +- HoloLens (1st gen) +- HoloLens 2 +--- + +# HoloLens and holograms: Frequently asked questions + +Here are some answers to questions you might have about using HoloLens, placing holograms, working with spaces, and more. + +Any time you're having problems, make sure HoloLens is [charged up](https://support.microsoft.com/help/12627/hololens-charge-your-hololens). Try [restarting it](hololens-restart-recover.md) to see if that fixes things. And please use the Feedback app to send us info about the issue—you'll find it on the [**Start** menu](holographic-home.md). + +For tips about wearing your HoloLens, see [HoloLens fit and comfort: FAQ](https://support.microsoft.com/help/13405/hololens-fit-and-comfort-faq). + +This FAQ addresses the following questions and issues: + + +- [My holograms don't look right or are moving around](#my-holograms-dont-look-right-or-are-moving-around) +- [I see a message that says "Finding your space"](#i-see-a-message-that-says-finding-your-space) +- [I'm not seeing the holograms I expect to see in my space](#im-not-seeing-the-holograms-i-expect-to-see-in-my-space) +- [I can't place holograms where I want](#i-cant-place-holograms-where-i-want) +- [Holograms disappear or are encased in other holograms or objects](#holograms-disappear-or-are-encased-in-other-holograms-or-objects) +- [I can see holograms that are on the other side of a wall](#i-can-see-holograms-that-are-on-the-other-side-of-a-wall) +- [When I place a hologram on a wall, it seems to float](#when-i-place-a-hologram-on-a-wall-it-seems-to-float) +- [Apps appear too close to me when I'm trying to move them](#apps-appear-too-close-to-me-when-im-trying-to-move-them) +- [I'm getting a low disk space error](#im-getting-a-low-disk-space-error) +- [HoloLens doesn't respond to my gestures](#hololens-doesnt-respond-to-my-gestures) +- [HoloLens doesn't respond to my voice](#hololens-doesnt-respond-to-my-voice) +- [I'm having problems pairing or using a Bluetooth device](#im-having-problems-pairing-or-using-a-bluetooth-device) +- [I'm having problems with the HoloLens clicker](#im-having-problems-with-the-hololens-clicker) +- [I can't connect to Wi-Fi](#i-cant-connect-to-wi-fi) +- [My HoloLens isn't running well, is unresponsive, or won't start](#my-hololens-isnt-running-well-is-unresponsive-or-wont-start) +- [How do I delete all spaces?](#how-do-i-delete-all-spaces) +- [I cannot find or use the keyboard to type in the HoloLens 2 Emulator](#i-cannot-find-or-use-the-keyboard-to-type-in-the-hololens-2-emulator) + +## My holograms don't look right or are moving around + +If your holograms don't look right (for example, they're jittery or shaky, or you see black patches on top of them), try one of these fixes: + +- [Clean your device visor](hololens1-hardware.md#care-and-cleaning) and make sure nothing is blocking the sensors. +- Make sure you're in a well-lit room without a lot of direct sunlight. +- Try walking around and gazing at your surroundings so HoloLens can scan them more completely. +- If you've placed a lot of holograms, try removing some. + +If you're still having problems, trying running the Calibration app, which calibrates your HoloLens just for you, to help keep your holograms looking their best. Go to **Settings **>** System **>** Utilities**. Under Calibration, select **Open Calibration**. + +[Back to list](#list) + +## I see a message that says Finding your space + +When HoloLens is learning or loading a space, you might see a brief message that says "Finding your space." If this message continues for more than a few seconds, you'll see another message under the Start menu that says "Still looking for your space." + +These messages mean that HoloLens is having trouble mapping your space. When this happens, you'll be able to open apps, but you won't be able to place holograms in your environment. + +If you see these messages often, try the following: + +- Make sure you're in a well-lit room without a lot of direct sunlight. +- Make sure your device visor is clean. [Learn how](hololens1-hardware.md#care-and-cleaning). +- Make sure you have a strong Wi-Fi signal. If you enter a new environment that has no Wi-Fi or a weak signal, HoloLens won't be able find your space. Check your Wi-Fi connection by going to **Settings **> **Network & Internet** >** Wi-Fi**. +- Try moving more slowly. + +[Back to list](#list) + +## I'm not seeing the holograms I expect to see in my space + +If you don't see holograms you placed, or you're seeing some you don't expect, try the following: + +- Try turning on some lights. HoloLens works best in a well-lit space. +- Remove holograms you don't need by going to **Settings** > **System** > **Holograms** > **Remove nearby holograms**. Or, if needed, select **Remove all holograms**. + + > [!NOTE] + > If the layout or lighting in your space changes significantly, your device might have trouble identifying your space and showing your holograms. + +[Back to list](#list) + +## I can't place holograms where I want + +Here are some things to try if you're having trouble placing holograms: + +- Stand about 1 to 3 meters from where you're trying to place the hologram. +- Don't place holograms on black or reflective surfaces. +- Make sure you're in a well-lit room without a lot of direct sunlight. +- Walk around the rooms so HoloLens can rescan your surroundings. To see what's already been scanned, air tap to reveal the mapping mesh graphic. + +[Back to list](#list) + +## Holograms disappear or are encased in other holograms or objects + +If you get too close to a hologram, it will temporarily disappear—just move away from it. Also, if you've placed a lot of holograms close together, some may disappear. Try removing a few. + +Holograms can also be blocked or encased by other holograms or by objects such as walls. If this happens, try one of the following: + +- If the hologram is encased in another hologram, move it to another location: select **Adjust**, then tap and hold to position it. +- If the hologram is encased in a wall, select **Adjust**, then walk toward the wall until the hologram appears. Tap and hold, then pull the hologram forward and out of the wall. +- If you can't move the hologram with gestures, use your voice to remove it. Gaze at the hologram, then say "Remove." Then reopen it and place it in a new location. + +[Back to list](#list) + +## I can see holograms that are on the other side of a wall + +If you're very close to a wall, or if HoloLens hasn't scanned the wall yet, you'll be able to see holograms that are in the next room. Stand 1 to 3 meters from the wall and gaze to scan it. + +If HoloLens has problems scanning the wall, it might be because there's a black or reflective object nearby (for example, a black couch or a stainless steel refrigerator). If there is, scan the other side of the wall. + +[Back to list](#list) + +## When I place a hologram on a wall, it seems to float + +Holograms placed on walls will appear to be an inch or so away from the wall. If they appear farther away, try the following: + +- Stand 1 to 3 meters from the wall when you place a hologram and face the wall straight on. +- Air tap the wall to reveal the mapping mesh graphic. Make sure the mesh is lined up with the wall. If it isn't, remove the hologram, rescan the wall, and try again. +- If the issue persists, run the Calibration app. You'll find it in **Settings** > **System** > **Utilities**. + +[Back to list](#list) + +## Apps appear too close to me when I'm trying to move them + +Try walking around and looking at the area where you're placing the app so HoloLens will scan it from different angles. [Cleaning your device visor](hololens1-hardware.md#care-and-cleaning) may also help. + +[Back to list](#list) + +## I'm getting a low disk space error + +Free up some storage space by doing one or more of the following: + +- Remove some of the holograms you've placed, or remove some saved data from within apps. [How do I find my data?](hololens-find-and-save-files.md) +- Delete some pictures and videos in the Photos app. +- Uninstall some apps from your HoloLens. In the All apps list, tap and hold the app you want to uninstall, then select **Uninstall**. (This will also delete any of the app's data stored on the device.) + +[Back to list](#list) + +## HoloLens doesn't respond to my gestures + +To make sure HoloLens can see your gestures, keep your hand in the gesture frame, which extends a couple of feet on either side of you. HoloLens can also best see your hand when you hold it about 18 inches in front of your body (though you don't have to be precise about this). When HoloLens can see your hand, the cursor will change from a dot to a ring. Learn more about [using gestures in HoloLens 2](hololens2-basic-usage.md) or [using gestures in HoloLens (1st gen)](hololens1-basic-usage.md). + +[Back to list](#list) + +## HoloLens doesn't respond to my voice + +If Cortana isn't responding to your voice, make sure Cortana is on. In the **All apps** list, select **Cortana** > **Menu** > **Notebook** > **Settings** to make changes. To learn more about what you can say, see [Use your voice with HoloLens](hololens-cortana.md). + +[Back to list](#list) + +## I'm having problems pairing or using a Bluetooth device + +If you're having problems [pairing a Bluetooth device](hololens-connect-devices.md), try the following: + +- Go to **Settings** > **Devices** and make sure Bluetooth is turned on. If it is, try turning if off and on again. +- Make sure your Bluetooth device is fully charged or has fresh batteries. +- If you still can't connect, [restart your HoloLens](hololens-recovery.md). + +If you're having trouble using a Bluetooth device, make sure it's a supported device. Supported devices include: + +- English-language QWERTY Bluetooth keyboards, which can be used anywhere you use the holographic keyboard. +- Bluetooth mice. +- The [HoloLens clicker](hololens1-clicker.md). + +Other Bluetooth HID and GATT devices can be paired, but they might require a companion app from Microsoft Store to work with HoloLens. + +HoloLens doesn't support Bluetooth audio profiles. Bluetooth audio devices, such as speakers and headsets, may appear as available in HoloLens settings, but they aren't supported. + +[Back to list](#list) + +## I'm having problems with the HoloLens clicker + +Use the [clicker](hololens1-clicker.md) to select, scroll, move, and resize holograms. Additional clicker gestures may vary from app to app. + +If you're having trouble using the clicker, make sure its charged and paired with your HoloLens. If the battery is low, the indicator light will blink amber. To see if its paired, go to **Settings** > **Devices** and see if it shows up there. [Pair the clicker](hololens-connect-devices.md#pair-the-clicker). + +If the clicker is charged and paired and you're still having problems, reset it by holding down the main button and the pairing button for 15 seconds. Then pair the clicker with your HoloLens again. + +If that doesn't help, see [Restart or recover the HoloLens clicker](hololens1-clicker.md#restart-or-recover-the-clicker). + +[Back to list](#list) + +## I can't connect to Wi-Fi + +Here are some things to try if you can't connect to Wi-Fi on HoloLens: + +- Make sure Wi-Fi is turned on. Bloom to go to Start, then select **Settings** > **Network & Internet** > **Wi-Fi** to check. If Wi-Fi is on, try turning it off and on again. +- Move closer to the router or access point. +- Restart your Wi-Fi router, then [restart HoloLens](hololens-recovery.md). Try connecting again. +- If none of these things work, check to make sure your router is using the latest firmware. You can find this information on the manufacturers website. + +[Back to list](#list) + +## My HoloLens isn't running well, is unresponsive, or won't start + +If your device isn't performing properly, see [Restart, reset, or recover HoloLens](hololens-recovery.md). + +[Back to list](#list) + +## How do I delete all spaces? + +*Coming soon* + +[Back to list](#list) + +## I cannot find or use the keyboard to type in the HoloLens 2 Emulator + +*Coming soon* + +[Back to list](#list) diff --git a/devices/hololens/hololens-commercial-features.md b/devices/hololens/hololens-commercial-features.md index 1b3fdcdcd4..309d81e904 100644 --- a/devices/hololens/hololens-commercial-features.md +++ b/devices/hololens/hololens-commercial-features.md @@ -1,11 +1,12 @@ --- title: Commercial features description: The Microsoft HoloLens Commercial Suite includes features that make it easier for businesses to manage HoloLens devices. HoloLens 2 devices are equipped with commercial features by default. +keywords: HoloLens, commercial, features, mdm, mobile device management, kiosk mode author: scooley ms.author: scooley -ms.date: 08/26/19 +ms.date: 08/26/2019 ms.topic: article -keywords: HoloLens, commercial, features, mdm, mobile device management, kiosk mode +audience: ITPro ms.prod: hololens ms.sitesec: library ms.localizationpriority: high @@ -53,7 +54,7 @@ HoloLens (1st gen) came with two licensing options, the developer license and a |Ability to block unenrollment | |✔️ |✔️ | |Cert-based corporate Wi-Fi access | |✔️ |✔️ | |Microsoft Store (Consumer) |Consumer |Filter by using MDM |Filter by using MDM | -[Business Store Portal](https://docs.microsoft.com/microsoft-store/working-with-line-of-business-apps) | |✔️ |✔️ | +|[Business Store Portal](https://docs.microsoft.com/microsoft-store/working-with-line-of-business-apps) | |✔️ |✔️ | |**Security and identity** | | | | |Sign in by using Azure Active Directory (AAD) account |✔️ |✔️ |✔️ | |Sign in by using Microsoft Account (MSA) |✔️ |✔️ |✔️ | diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md index 5ffe60d2e1..f95a0321eb 100644 --- a/devices/hololens/hololens-cortana.md +++ b/devices/hololens/hololens-cortana.md @@ -106,7 +106,7 @@ Here are some things you can try saying (remember to say "Hey Cortana" first). - Stop recording. (Stops recording a video.) - Call <*contact*>. (Requires Skype.) - What time is it? -- Show me the latest NBA scores. +- Show me the latest NBA scores. - How much battery do I have left? - Tell me a joke. diff --git a/devices/hololens/hololens-encryption.md b/devices/hololens/hololens-encryption.md index 62352e9767..6c8b9118e6 100644 --- a/devices/hololens/hololens-encryption.md +++ b/devices/hololens/hololens-encryption.md @@ -50,6 +50,7 @@ Provisioning packages are files created by the Windows Configuration Designer to 1. Find the XML license file that was provided when you purchased the Commercial Suite. +1. Browse to and select the XML license file that was provided when you purchased the Commercial Suite. >[!NOTE] >You can configure [additional settings in the provisioning package](hololens-provisioning.md). @@ -87,7 +88,7 @@ Provisioning packages are files created by the Windows Configuration Designer to 1. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with device setup. >[!NOTE] ->If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package. +>If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package. ## Verify device encryption diff --git a/devices/hololens/hololens-enroll-mdm.md b/devices/hololens/hololens-enroll-mdm.md index 2fd5775041..dc042a0f9f 100644 --- a/devices/hololens/hololens-enroll-mdm.md +++ b/devices/hololens/hololens-enroll-mdm.md @@ -1,16 +1,19 @@ --- -title: Enroll HoloLens in MDM (HoloLens) +title: Enroll HoloLens in MDM description: Enroll HoloLens in mobile device management (MDM) for easier management of multiple devices. ms.prod: hololens -ms.mktglfcycl: manage ms.sitesec: library -author: dansimp -ms.author: dansimp +ms.assetid: 2a9b3fca-8370-44ec-8b57-fb98b8d317b0 +author: scooley +ms.author: scooley ms.topic: article ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 07/15/2019 ms.reviewer: manager: dansimp +appliesto: +- HoloLens (1st gen) +- HoloLens 2 --- # Enroll HoloLens in MDM @@ -39,3 +42,7 @@ When auto-enrollment is enabled, no additional manual enrollment is needed. When 1. Upon successful authentication to the MDM server, a success message is shown. Your device is now enrolled with your MDM server. The device will need to restart to acquire policies, certificates, and apps. The Settings app will now reflect that the device is enrolled in device management. + +## Unenroll HoloLens from Intune + +You cannot [unenroll](https://docs.microsoft.com/intune-user-help/unenroll-your-device-from-intune-windows) HoloLens from Intune remotely. If the administrator unenrolls the device using MDM, the device will age out of the Intune dashboard. \ No newline at end of file diff --git a/devices/hololens/hololens-environment-considerations.md b/devices/hololens/hololens-environment-considerations.md index fd573a27c0..e09691dddf 100644 --- a/devices/hololens/hololens-environment-considerations.md +++ b/devices/hololens/hololens-environment-considerations.md @@ -77,7 +77,7 @@ The cameras can see no closer than 15cm from an object. ### Surfaces in a space -Strongly reflective surfaces will likely look different depending on the angle, which affects tracking. Think of a brand new car—when you move around it, light reflects and you see different objects in the surface as you move. To the tracker, the different objects reflected in the surface represent a changing environment, and the device loses tracking. +Strongly reflective surfaces will likely look different depending on the angle, which affects tracking. Think of a brand new car - when you move around it, light reflects and you see different objects in the surface as you move. To the tracker, the different objects reflected in the surface represent a changing environment, and the device loses tracking. Less shiny objects are easier to track against. diff --git a/devices/hololens/hololens-feedback.md b/devices/hololens/hololens-feedback.md index 51509d0833..3199517a90 100644 --- a/devices/hololens/hololens-feedback.md +++ b/devices/hololens/hololens-feedback.md @@ -80,4 +80,3 @@ To easily direct other people (such as co-workers, Microsoft staff, [forum](http 1. Enter your feedback. 1. If you are reporting a reproducible issue, you can select **Reproduce**. Without closing Feedback Hub, reproduce the issue. After you finish, come back to Feedback Hub and select **I’m done**. The app adds a mixed reality capture of your repro and relevant diagnostic logs to your feedback. 1. Select **Post feedback**, and you’re done. - diff --git a/devices/hololens/hololens-find-and-save-files.md b/devices/hololens/hololens-find-and-save-files.md index 8a9687ea25..098b387e5b 100644 --- a/devices/hololens/hololens-find-and-save-files.md +++ b/devices/hololens/hololens-find-and-save-files.md @@ -12,6 +12,9 @@ author: v-miegge ms.author: v-miegge ms.topic: article ms.localizationpriority: medium +appliesto: +- HoloLens (1st gen) +- HoloLens 2 --- # Find and save files on HoloLens diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md index 5eaf9ad296..604048e203 100644 --- a/devices/hololens/hololens-insider.md +++ b/devices/hololens/hololens-insider.md @@ -10,6 +10,9 @@ ms.localizationpriority: medium ms.date: 10/23/2018 ms.reviewer: manager: dansimp +appliesto: +- HoloLens (1st gen) +- HoloLens 2 --- # Insider preview for Microsoft HoloLens diff --git a/devices/hololens/hololens-known-issues.md b/devices/hololens/hololens-known-issues.md new file mode 100644 index 0000000000..2fa916f8d0 --- /dev/null +++ b/devices/hololens/hololens-known-issues.md @@ -0,0 +1,169 @@ +--- +title: HoloLens known issues +description: This is the list of known issues that may affect HoloLens developers. +keywords: troubleshoot, known issue, help +author: mattzmsft +ms.author: mazeller +ms.date: 8/30/2019 +ms.topic: article +HoloLens and holograms: Frequently asked questions +manager: jarrettr +ms.prod: hololens +appliesto: +- HoloLens 1 +--- + +# HoloLens known issues + +This is the current list of known issues for HoloLens that affect developers. Check here first if you are seeing an odd behavior. This list will be kept updated as new issues are discovered or reported, or as issues are addressed in future HoloLens software updates. + +## Unable to connect and deploy to HoloLens through Visual Studio + +>[!NOTE] +>Last Update: 8/8 @ 5:11PM - Visual Studio has released VS 2019 Version 16.2 which includes a fix to this issue. We recommend updating to this newest version to avoid experiencing this error. + +Visual Studio has released VS 2019 Version 16.2 which includes a fix to this issue. We recommend updating to this newest version to avoid experiencing this error. + +Issue root-cause: Users who used Visual Studio 2015 or early releases of Visual Studio 2017 to deploy and debug applications on their HoloLens and then subsequently used the latest versions of Visual Studio 2017 or Visual Studio 2019 with the same HoloLens will be affected. The newer releases of Visual Studio deploy a new version of a component, but files from the older version are left over on the device, causing the newer version to fail. This causes the following error message: DEP0100: Please ensure that target device has developer mode enabled. Could not obtain a developer license on \ due to error 80004005. + +### Workaround + +Our team is currently working on a fix. In the meantime, you can use the following steps to work around the issue and help unblock deployment and debugging: + +1. Open Visual Studio +1. Select **File** > **New** > **Project**. +1. Select **Visual C#** > **Windows Desktop** > **Console App (.NET Framework)**. +1. Give the project a name (such as "HoloLensDeploymentFix") and make sure the Framework is set to at least .NET Framework 4.5, then Select **OK**. +1. Right-click on the **References** node in Solution Explorer and add the following references (select to the **Browse** section and select **Browse**): + + ``` CMD + C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86\Microsoft.Tools.Deploy.dll + C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86\Microsoft.Tools.Connectivity.dll + C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86\SirepInterop.dll + ``` + + >[!NOTE] + >If you don't have 10.0.18362.0 installed, use the most recent version that you have. + +1. Right-click on the project in Solution Explorer and select **Add** > **Existing Item**. +1. Browse to C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86 and change the filter to **All Files (\*.\*)**. +1. Select both SirepClient.dll and SshClient.dll, and Select **Add**. +1. Locate and select both files in Solution Explorer (they should be at the bottom of the list of files) and change **Copy to Output Directory** in the **Properties** window to **Copy always**. +1. At the top of the file, add the following to the existing list of `using` statements: + + ``` CMD + using Microsoft.Tools.Deploy; + using System.Net; + ``` + +1. Inside of `static void Main(...)`, add the following code: + + ``` PowerShell + RemoteDeployClient client = RemoteDeployClient.CreateRemoteDeployClient(); + client.Connect(new ConnectionOptions() + { + Credentials = new NetworkCredential("DevToolsUser", string.Empty), + IPAddress = IPAddress.Parse(args[0]) + }); + client.RemoteDevice.DeleteFile(@"C:\Data\Users\DefaultAccount\AppData\Local\DevelopmentFiles\VSRemoteTools\x86\CoreCLR\mscorlib.ni.dll"); + ``` + +1. Select **Build** > **Build Solution**. +1. Open a Command Prompt Window and cd to the folder that contains the compiled .exe file (for example, C:\MyProjects\HoloLensDeploymentFix\bin\Debug) +1. Run the executable and provide the device's IP address as a command-line argument. (If connected using USB, you can use 127.0.0.1, otherwise use the device’s Wi-Fi IP address.) For example, "HoloLensDeploymentFix 127.0.0.1" + +1. After the tool has exited without any messages (this should only take a few seconds), you will now be able to deploy and debug from Visual Studio 2017 or newer. Continued use of the tool is not necessary. + +We will provide further updates as they become available. + +## Issues launching the Microsoft Store and apps on HoloLens + +> [!NOTE] +> Last Update: 4/2 @ 10 AM - Issue resolved. + +You may experience issues when trying to launch the Microsoft Store and apps on HoloLens. We've determined that the issue occurs when background app updates deploy a newer version of framework packages in specific sequences while one or more of their dependent apps are still running. In this case, an automatic app update delivered a new version of the .NET Native Framework (version 10.0.25531 to 10.0.27413) caused the apps that are running to not correctly update for all running apps consuming the prior version of the framework. The flow for framework update is as follows: + +1. The new framework package is downloaded from the store and installed +1. All apps using the older framework are ‘updated’ to use the newer version + +If step 2 is interrupted before completion then any apps for which the newer framework wasn’t registered will fail to launch from the start menu. We believe any app on HoloLens could be affected by this issue. + +Some users have reported that closing hung apps and launching other apps such as Feedback Hub, 3D Viewer or Photos resolves the issue for them—however, this does not work 100% of the time. + +We have root caused that this issue was not caused the update itself, but a bug in the OS that resulted in the .NET Native framework update being handled incorrectly. We are pleased to announce that we have identified a fix and have released an update (OS version 17763.380) containing the fix. + +To see if your device can take the update, please: + +1. Go to the Settings app and open **Update & Security**. +1. Select **Check for Updates**. +1. If update to 17763.380 is available, please update to this build to receive the fix for the App Hang bug +1. Upon updating to this version of the OS, the Apps should work as expected. + +Additionally, as we do with every HoloLens OS release, we have posted the FFU image to the [Microsoft Download Center](https://aka.ms/hololensdownload/10.0.17763.380). + +If you would not like to take the update, we have released a new version of the Microsoft Store UWP app as of 3/29. After you have the updated version of the Store: + +1. Open the Store and confirm that it loads. +1. Use the bloom gesture to open the menu. +1. Attempt to open previously broken apps. +1. If it still cannot be launched, tap and hold the icon of the broken app and select uninstall. +1. Resinstall these apps from the store. + +If your device is still unable to load apps, you can sideload a version of the .NET Native Framework and Runtime through the download center by following these steps: + +1. Please download [this zip file](https://download.microsoft.com/download/8/5/C/85C23745-794C-419D-B8D7-115FBCCD6DA7/netfx_1.7.zip) from the Microsoft Download Center. Unzipping will produce two files. Microsoft.NET.Native.Runtime.1.7.appx and Microsoft.NET.Native.Framework.1.7.appx +1. Please verify that your device is dev unlocked. If you haven’t done that before the instructions to do that are [here](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal). +1. You then want to get into the Windows Device Portal. Our recommendation is to do this over USB and you would do that by typing http://127.0.0.1:10080 into your browser. +1. After you have the Windows Device Portal up we need you to “side load” the two files that you downloaded. To do that you need to go down the left side bar until you get to the **Apps** section and select **Apps**. +1. You will then see a screen that is similar to the below. You want to go to the section that says **Install App** and browse to where you unzipped those two APPX files. You can only do one at a time, so after you select the first one, then click on “Go” under the Deploy section. Then do this for the second APPX file. + + ![Windows Device Portal to Install Side-Loaded app](images/20190322-DevicePortal.png) +1. At this point we believe your applications should start working again and that you can also get to the Store. +1. In some cases, it is necessary run the additional step of launching the 3D Viewer app before affected apps will launch. + +We appreciate your patience as we have gone through the process to get this issue resolved, and we look forward to continued working with our community to create successful Mixed Reality experiences. + +## Connecting to WiFi + +During HoloLens Setup, there is a credential timeout of 2 minutes. The username/password needs to be entered within 2 minutes otherwise the username field will be automatically cleared. + +We recommend using a Bluetooth keyboard for entering long passwords. + +> [!NOTE] +> If the wrong network is selected during HoloLens Setup, the device will need to be fully reset. Instructions can be found [here.](hololens-restart-recover.md) + +## Device Update + +- 30 seconds after a new update, the shell may disappear one time. Please perform the **bloom** gesture to resume your session. + +## Visual Studio + +- See [Install the tools](https://docs.microsoft.com/windows/mixed-reality/install-the-tools) for the most up-to-date version of Visual Studio that is recommended for HoloLens development. +- When deploying an app from Visual Studio to your HoloLens, you may see the error: **The requested operation cannot be performed on a file with a user-mapped section open. (Exception from HRESULT: 0x800704C8)**. If this happens, try again and your deployment will generally succeed. + +## Emulator + +- Not all apps in the Microsoft Store are compatible with the emulator. For example, Young Conker and Fragments are not playable on the emulator. +- You cannot use the PC webcam in the Emulator. +- The Live Preview feature of the Windows Device Portal does not work with the emulator. You can still capture Mixed Reality videos and images. + +## Unity + +- See [Install the tools](https://docs.microsoft.com/windows/mixed-reality/install-the-tools) for the most up-to-date version of Unity recommended for HoloLens development. +- Known issues with the Unity HoloLens Technical Preview are documented in the [HoloLens Unity forums](https://forum.unity3d.com/threads/known-issues.394627/). + +## Windows Device Portal + +- The Live Preview feature in Mixed Reality capture may exhibit several seconds of latency. +- On the Virtual Input page, the Gesture and Scroll controls under the Virtual Gestures section are not functional. Using them will have no effect. The virtual keyboard on the same page works correctly. +- After enabling Developer Mode in Settings, it may take a few seconds before the switch to turn on the Device Portal is enabled. + +## API + +- If the application sets the [focus point](https://docs.microsoft.com/windows/mixed-reality/focus-point-in-unity) behind the user or the normal to camera.forward, holograms will not appear in Mixed Reality Capture photos or videos. Until this bug is fixed in Windows, if applications actively set the [focus point](https://docs.microsoft.com/windows/mixed-reality/focus-point-in-unity) they should ensure the plane normal is set opposite camera-forward (for example, normal = -camera.forward). + +## Xbox Wireless Controller + +- Xbox Wireless Controller S must be updated before it can be used with HoloLens. Ensure you are [up to date](https://support.xbox.com/xbox-one/accessories/update-controller-for-stereo-headset-adapter) before attempting to pair your controller with a HoloLens. +- If you reboot your HoloLens while the Xbox Wireless Controller is connected, the controller will not automatically reconnect to HoloLens. The Guide button light will flash slowly until the controller powers off after 3 minutes. To reconnect your controller immediately, power off the controller by holding the Guide button until the light turns off. When you power your controller on again, it will reconnect to HoloLens. +- If your HoloLens enters standby while the Xbox Wireless Controller is connected, any input on the controller will wake the HoloLens. You can prevent this by powering off your controller when you are done using it. diff --git a/devices/hololens/hololens-multiple-users.md b/devices/hololens/hololens-multiple-users.md index 70bee8bc2d..d9d6704c78 100644 --- a/devices/hololens/hololens-multiple-users.md +++ b/devices/hololens/hololens-multiple-users.md @@ -21,6 +21,8 @@ It's common to share one HoloLens with many people or to have many people share ## Share with multiple people, each using their own account +**Prerequisite**: The HoloLens device must be running Windows 10, version 1803 or later. HoloLens (1st gen) also need to be [upgraded to Windows Holographic for Business](hololens-upgrade-enterprise.md). + When they use their own Azure Active Directory (Azure AD) accounts, multiple users can each keep their own user settings and user data on the device. To make sure that multiple people can use their own accounts on your HoloLens, follow these steps to configure it: diff --git a/devices/hololens/hololens-status.md b/devices/hololens/hololens-status.md index 9438c6d9d2..ca4e503851 100644 --- a/devices/hololens/hololens-status.md +++ b/devices/hololens/hololens-status.md @@ -16,7 +16,7 @@ ms.sitesec: library ✔️ **All services are active** -**Key** ✔️ Good, ⓘ Information, ⚠ Warning, ❌ Critical +**Key** ✔️ Good, ⓘ Information, ⚠ Warning, ❌ Critical Area|HoloLens (1st gen)|HoloLens 2 ----|:----:|:----: @@ -27,10 +27,10 @@ Area|HoloLens (1st gen)|HoloLens 2 ## Notes and related topics -[Frequently asked questions about using Skype for HoloLens](https://support.skype.com/en/faq/FA34641/frequently-asked-questions-about-using-skype-for-hololens) +[Frequently asked questions about using Skype for HoloLens](https://support.skype.com/faq/FA34641/frequently-asked-questions-about-using-skype-for-hololens) For more details about the status of the myriad Azure Services that can connect to HoloLens, see [Azure status](https://azure.microsoft.com/status/). -For more details about current known issues, see [HoloLens known issues](https://docs.microsoft.com/windows/mixed-reality/hololens-known-issues). +For more details about current known issues, see [HoloLens known issues](hololens-known-issues.md). Follow HoloLens on [Twitter](https://twitter.com/HoloLens) and subscribe on [Reddit](https://www.reddit.com/r/HoloLens/). diff --git a/devices/hololens/hololens2-basic-usage.md b/devices/hololens/hololens2-basic-usage.md index e15003a8f4..d8cc60064a 100644 --- a/devices/hololens/hololens2-basic-usage.md +++ b/devices/hololens/hololens2-basic-usage.md @@ -28,7 +28,7 @@ This guide provides an intro to: On HoloLens, holograms blend the digital world with your physical environment to look and sound like they're part of your world. Even when holograms are all around you, you can always see your surroundings, move freely, and interact with people and objects. We call this experience "mixed reality". -The holographic frame positions your holograms where your eyes are most sensitive to detail and the see-through lenses leave your peripheral vision unobscured. With spatial sound, you can pinpoint a hologram by listening, even if it’s behind you. And, because HoloLens understands your physical environment, you can place holograms on and around real objects such as tables and walls. +The holographic frame positions your holograms where your eyes are most sensitive to detail and the see-through lenses leave your peripheral vision clear. With spatial sound, you can pinpoint a hologram by listening, even if it’s behind you. And, because HoloLens understands your physical environment, you can place holograms on and around real objects such as tables and walls. Getting around HoloLens is a lot like using your smart phone. You can use your hands to touch and manipulate holographic windows, menus, and buttons. @@ -54,6 +54,8 @@ To bring up a **context menu**, like the ones you'll find on an app tile in the ## Use hand ray for holograms out of reach +> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE3ZOum] + When there are no holograms near your hands, the **touch cursor** will hide automatically and **hand rays** will appear from the palm of your hands. Hand rays allow you to interact with holograms from a distance. > [!TIP] @@ -71,6 +73,8 @@ To select something using **hand ray**, follow these steps: ### Grab using air tap and hold +> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE3Wxnh] + To grab a hologram or scroll app window content using **hand ray**, start with an **air tap**, but keep your fingers together instead of releasing them. Use **air tap and hold** to perform the following actions with hand ray: @@ -81,7 +85,9 @@ Use **air tap and hold** to perform the following actions with hand ray: ## Start gesture -The Start gesture opens the **Start menu**. To perform the Start gesture, hold out your hand with your palm facing you. You’ll see a **Start icon** appear over your inner wrist. Tap this icon using your other hand. The Start menu will open **where you’re looking**. +> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE3Wxng] + +The Start gesture opens the **Start menu**. To perform the Start gesture, hold out your hand with your palm facing you. You’ll see a **Start icon** appear over your inner wrist. Tap this icon using your other hand. The Start menu will open **where you’re looking**. > [!TIP] > @@ -135,6 +141,8 @@ Move a hologram or app by following these steps: ### Resizing holograms +> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE3ZYIb] + Grab and use the **resize handles** that appear on the corners of 3D holograms and app windows to resize them. For an app window, when resized this way the window content correspondingly increases in size and becomes easier to read. diff --git a/devices/hololens/hololens2-hardware.md b/devices/hololens/hololens2-hardware.md index dd81a50803..3418e52e5e 100644 --- a/devices/hololens/hololens2-hardware.md +++ b/devices/hololens/hololens2-hardware.md @@ -75,6 +75,15 @@ Microsoft HoloLens 2 is an untethered holographic computer. It refines the holo | Bluetooth | 5.0 | | USB | USB Type-C | +### Power + +| | | +| - | - | +| Battery Life | 2-3 hours of active use. Up to 2 weeks of standby time. | +| Battery technology | [Lithium batteries](https://www.microsoft.com/download/details.aspx?id=43388) | +| Charging behavior | Fully functional when charging | +| Cooling type | Passively cooled (no fans) | + ### Fit | | | diff --git a/devices/hololens/hololens2-setup.md b/devices/hololens/hololens2-setup.md index 7b662a76b4..912f8f5f79 100644 --- a/devices/hololens/hololens2-setup.md +++ b/devices/hololens/hololens2-setup.md @@ -1,6 +1,7 @@ --- title: Prepare a new HoloLens 2 description: This guide walks through first time set up and hardware guide. +keywords: hololens, lights, fit, comfort, parts ms.assetid: 02692dcf-aa22-4d1e-bd00-f89f51048e32 ms.date: 9/17/2019 keywords: hololens @@ -68,14 +69,14 @@ Not sure what the indicator lights on your HoloLens mean? Want to know how HoloL ### Charging behavior -| State of the Device | Action | HoloLens 2 will do this | +| State of the Device | Action | HoloLens 2 will do this | | - | - | - | -| OFF | Plug in USB Cable | Device transitions to ON with indicator lights showing battery level and device starts charging. -| ON | Remove USB Cable | Device stops charging -| ON | Plug in USB Cable | Device starts charging -| SLEEP | Plug in USB Cable | Device starts charging -| SLEEP | Remove USB Cable | Device stops charging -| ON with USB cable pluged in | Turn off Device | Device transitions to ON with indicator lights showing battery level and device will start charging | +| OFF | Plug in USB Cable | Device transitions to ON with indicator lights showing battery level and device starts charging. +| ON | Remove USB Cable | Device stops charging +| ON | Plug in USB Cable | Device starts charging +| SLEEP | Plug in USB Cable | Device starts charging +| SLEEP | Remove USB Cable | Device stops charging +| ON with USB cable plugged in | Turn off Device | Device transitions to ON with indicator lights showing battery level and device will start charging | ### Lights that indicate the battery level @@ -89,18 +90,18 @@ Not sure what the indicator lights on your HoloLens mean? Want to know how HoloL ### Sleep Behavior -| State of the Device | Action | HoloLens 2 will do this | +| State of the Device | Action | HoloLens 2 will do this | | - | - | - | -| ON | Single Power button press | Device transitions to SLEEP and turns off all indicator lights | -| ON | No movement for 3 minutes | Device transition to SLEEP and turns off all indicator lights | -| SLEEP | Single Power button Press | Device transitions to ON and turns on indicator lights | +| ON | Single Power button press | Device transitions to SLEEP and turns off all indicator lights | +| ON | No movement for 3 minutes | Device transition to SLEEP and turns off all indicator lights | +| SLEEP | Single Power button Press | Device transitions to ON and turns on indicator lights | ### Lights to indicate problems | When you do this | The lights do this | It means this | | - | - | - | | You press the Power button. | One light flashes five times, then turns off. | The HoloLens battery is critically low. Charge your HoloLens. | -| You press the Power button. | All five lights flash five times, then turn off. | HoloLens cannot start correctly and is in an error state. | +| You press the Power button. | All five lights flash five times, then turn off. | HoloLens cannot start correctly and is in an error state. [Reinstall the operating system](hololens-recovery.md) to recover your device. | ## Safety and comfort diff --git a/devices/hololens/images/20190322-DevicePortal.png b/devices/hololens/images/20190322-DevicePortal.png new file mode 100644 index 0000000000..7fdd2e34b3 Binary files /dev/null and b/devices/hololens/images/20190322-DevicePortal.png differ diff --git a/devices/hololens/index.md b/devices/hololens/index.md index 2db4f6d0c9..6725da5e81 100644 --- a/devices/hololens/index.md +++ b/devices/hololens/index.md @@ -1,6 +1,6 @@ --- -title: Microsoft HoloLens (HoloLens) -description: Landing page for HoloLens commercial and enterprise management. +title: Microsoft HoloLens +description: Landing page Microsoft HoloLens. ms.prod: hololens ms.sitesec: library ms.assetid: 0947f5b3-8f0f-42f0-aa27-6d2cad51d040 @@ -8,7 +8,12 @@ author: scooley ms.author: scooley ms.topic: article ms.localizationpriority: medium -ms.date: 07/14/2019 +ms.date: 10/14/2019 +audience: ITPro +appliesto: +- HoloLens 1 +- HoloLens 2 + --- # Microsoft HoloLens @@ -21,33 +26,33 @@ ms.date: 07/14/2019

To learn more about HoloLens 2 for developers, check out the mixed reality developer documentation.

-HoloLens 2 side view +

To buy HoloLens, check out HoloLens pricing and sales on microsoft.com/HoloLens.

+ + +HoloLens 2 side view ## Guides in this section | Guide | Description | | --- | --- | -| [Get started with HoloLens](hololens1-setup.md) | Set up HoloLens for the first time. | -| [Deploy HoloLens in a commercial environment](hololens-requirements.md) | Configure HoloLens for scale enterprise deployment and ongoing device management. | -| [Recover and troubleshoot HoloLens issues](https://support.microsoft.com/products/hololens) | Learn how to gather logs from HoloLens, recover a misbehaving device, or reset HoloLens when necessary. | -| [Get support](https://support.microsoft.com/products/hololens) |Connect with Microsoft support resources for HoloLens in enterprise. | +| [Get started with HoloLens 2](hololens2-setup.md) | Set up HoloLens 2 for the first time. | +| [Get started with HoloLens (1st gen)](hololens1-setup.md) | Set up HoloLens (1st gen) for the first time. | +| [Get started with HoloLens in a commercial or classroom environment](hololens-requirements.md) | Plan for a multi-device HoloLens deployment and create a strategy for ongoing device management.
This section is tailored to IT professionals managing devices with existing device management infrastructure. | ## Quick reference by topic | Topic | Description | | --- | --- | -| [What's new in Microsoft HoloLens](hololens-whats-new.md) | Discover new features in the latest updates. | -| [Configure HoloLens using a provisioning package](hololens-provisioning.md) | Provisioning packages make it easy for IT administrators to configure HoloLens devices without imaging | -| [HoloLens MDM support](hololens-enroll-mdm.md) | Manage multiple HoloLens devices simultaneously using Mobile Device Management (MDM) solutions like Microsoft Intune. | +| [What's new in HoloLens](hololens-whats-new.md) | Discover new features in the latest updates via HoloLens release notes. | +| [Install and manage applications on HoloLens](hololens-install-apps.md) | Install and manage important applications on HoloLens at scale. | | [HoloLens update management](hololens-updates.md) | Use mobile device management (MDM) policies to configure settings for updates. | | [HoloLens user management](hololens-multiple-users.md) | Multiple users can shared a HoloLens device by using their Azure Active Directory accounts. | | [HoloLens application access management](hololens-kiosk.md) | Manage application access for different user groups. | -| [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) | Learn how to use Bitlocker device encryption to protect files and information stored on the HoloLens. | -| [Install localized version of HoloLens](hololens1-install-localized.md) | Configure HoloLens for different locale. | +| [Recover and troubleshoot HoloLens issues](https://support.microsoft.com/products/hololens) | Learn how to gather logs from HoloLens, recover a misbehaving device, or reset HoloLens when necessary. | +| [Get support](https://support.microsoft.com/products/hololens) | Connect with Microsoft support resources for HoloLens in enterprise. | ## Related resources * [Documentation for Holographic app development](https://developer.microsoft.com/windows/mixed-reality/development) -* [HoloLens Commercial Suite](https://www.microsoft.com/microsoft-hololens/hololens-commercial) * [HoloLens release notes](https://developer.microsoft.com/windows/mixed-reality/release_notes) diff --git a/devices/surface/battery-limit.md b/devices/surface/battery-limit.md index 48b26edcc5..c5d75cda00 100644 --- a/devices/surface/battery-limit.md +++ b/devices/surface/battery-limit.md @@ -6,22 +6,26 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: dansimp -ms.date: 10/02/2018 +ms.date: 10/31/2019 ms.reviewer: manager: dansimp ms.author: dansimp ms.topic: article +ms.localizationpriority: medium +ms.audience: itpro --- # Battery Limit setting Battery Limit option is a UEFI setting that changes how the Surface device battery is charged and may prolong its longevity. This setting is recommended in cases in which the device is continuously connected to power, for example when devices are integrated into kiosk solutions. -## Battery Limit information +## How Battery Limit works Setting the device on Battery Limit changes the protocol for charging the device battery. When Battery Limit is enabled, the battery charge will be limited to 50% of its maximum capacity. The charge level reported in Windows will reflect this limit. Therefore, it will show that the battery is charged up to 50% and will not charge beyond this limit. If you enable Battery Limit while the device is above 50% charge, the Battery icon will show that the device is plugged in but discharging until the device reaches 50% of its maximum charge capacity. -Adding the Battery Limit option to Surface UEFI requires a [Surface UEFI firmware update](update.md), available through Windows Update or via the MSI driver and firmware packages on the Microsoft Download Center. Check [Enable "Battery Limit" for Surface devices that have to be plugged in for extended periods of time](https://support.microsoft.com/help/4464941) for the specific Surface UEFI version required for each supported device. Currently, Battery Limit is supported on a subset of Surface devices and will be available in the future on other Surface device models. +## Supported devices +The Battery Limit UEFI setting is built into the latest Surface devices including Surface Pro 7 and Surface Laptop 3. Earlier devices require a + [Surface UEFI firmware update](update.md), available through Windows Update or via the MSI driver and firmware packages on the [Surface Support site](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface). Check [Enable "Battery Limit" for Surface devices that have to be plugged in for extended periods of time](https://support.microsoft.com/help/4464941) for the specific Surface UEFI version required for each supported device. ## Enabling Battery Limit in Surface UEFI (Surface Pro 4 and later) diff --git a/devices/surface/deploy.md b/devices/surface/deploy.md index 08149e26b7..68749b654c 100644 --- a/devices/surface/deploy.md +++ b/devices/surface/deploy.md @@ -11,6 +11,8 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.topic: article +ms.localizationpriority: medium +ms.audience: itpro --- # Deploy Surface devices @@ -39,19 +41,7 @@ Learn about about deploying ARM- and Intel-based Surface devices. | [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)| See how Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices. | [Battery Limit setting](battery-limit.md) | Learn how to use Battery Limit, a UEFI setting that changes how the Surface device battery is charged and may prolong its longevity. - - -  - ## Related topics -[Surface for IT pros blog](http://blogs.technet.com/b/surface/) - -  - -  - - - - +[Surface IT Pro Blog](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/bg-p/SurfaceITPro) diff --git a/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md b/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md index 3fa2512ccf..855d637526 100644 --- a/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md +++ b/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md @@ -9,12 +9,15 @@ ms.sitesec: library author: Teresa-Motiv ms.author: v-tea ms.topic: article -ms.date: 10/2/2019 +ms.date: 10/31/2019 ms.reviewer: scottmca +ms.localizationpriority: medium +ms.audience: itpro manager: jarrettr appliesto: - Surface Laptop (1st Gen) - Surface Laptop 2 +- Surface Laptop 3 --- # How to enable the Surface Laptop keyboard during MDT deployment @@ -30,44 +33,77 @@ On most types of Surface devices, the keyboard should work during Lite Touch Ins To add the keyboard drivers to the selection profile, follow these steps: 1. Download the latest Surface Laptop MSI file from the appropriate locations: - - [Surface Laptop (1st Gen) Drivers and Firmware](https://www.microsoft.com/download/details.aspx?id=55489) - - [Surface Laptop 2 Drivers and Firmware](https://www.microsoft.com/download/details.aspx?id=57515) + - [Surface Laptop (1st Gen) Drivers and Firmware](https://www.microsoft.com/download/details.aspx?id=55489) + - [Surface Laptop 2 Drivers and Firmware](https://www.microsoft.com/download/details.aspx?id=57515) + - [Surface Laptop 3 with Intel Processor Drivers and Firmware](https://www.microsoft.com/download/details.aspx?id=100429) -1. Extract the contents of the Surface Laptop MSI file to a folder that you can easily locate (for example, c:\surface_laptop_drivers). To extract the contents, open an elevated Command Prompt window and run the following command: +2. Extract the contents of the Surface Laptop MSI file to a folder that you can easily locate (for example, c:\surface_laptop_drivers). To extract the contents, open an elevated Command Prompt window and run the command from the following example: ```cmd Msiexec.exe /a SurfaceLaptop_Win10_15063_1703008_1.msi targetdir=c:\surface_laptop_drivers /qn ``` -1. Open the Deployment Workbench and expand the **Deployment Shares** node and your deployment share, then navigate to the **WindowsPEX64** folder. +3. Open the Deployment Workbench and expand the **Deployment Shares** node and your deployment share, then navigate to the **WindowsPEX64** folder. ![Image that shows the location of the WindowsPEX64 folder in the Deployment Workbench](./images/surface-laptop-keyboard-1.png) -1. Right-click the **WindowsPEX64** folder and select **Import Drivers**. -1. Follow the instructions in the Import Driver Wizard to import the driver folders into the WindowsPEX64 folder. - - To support Surface Laptop (1st Gen), import the following folders: - - SurfacePlatformInstaller\Drivers\System\GPIO - - SurfacePlatformInstaller\Drivers\System\SurfaceHidMiniDriver - - SurfacePlatformInstaller\Drivers\System\SurfaceSerialHubDriver - - To support Surface Laptop 2, import the following folders: - - SurfacePlatformInstaller\Drivers\System\GPIO - - SurfacePlatformInstaller\Drivers\System\SurfaceHIDMiniDriver - - SurfacePlatformInstaller\Drivers\System\SurfaceSerialHubDriver - - SurfacePlatformInstaller\Drivers\System\I2C - - SurfacePlatformInstaller\Drivers\System\SPI - - SurfacePlatformInstaller\Drivers\System\UART +4. Right-click the **WindowsPEX64** folder and select **Import Drivers**. +5. Follow the instructions in the Import Driver Wizard to import the driver folders into the WindowsPEX64 folder. -1. Verify that the WindowsPEX64 folder now contains the imported drivers. The folder should resemble the following: +> [!NOTE] +> Check the downloaded MSI package to determine the format and directory structure. The directory structure will start with either SurfacePlatformInstaller (older MSI files) or SurfaceUpdate (Newer MSI files) depending on when the MSI was released. + +To support Surface Laptop (1st Gen), import the following folders: + + - SurfacePlatformInstaller\Drivers\System\GPIO + - SurfacePlatformInstaller\Drivers\System\SurfaceHidMiniDriver + - SurfacePlatformInstaller\Drivers\System\SurfaceSerialHubDriver + +Or for newer MSI files beginning with "SurfaceUpdate", use: + +- SurfaceUpdate\SerialIOGPIO +- SurfaceUpdate\SurfaceHidMiniDriver +- SurfaceUpdate\SurfaceSerialHubDriver + +To support Surface Laptop 2, import the following folders: + + - SurfacePlatformInstaller\Drivers\System\GPIO + - SurfacePlatformInstaller\Drivers\System\SurfaceHIDMiniDriver + - SurfacePlatformInstaller\Drivers\System\SurfaceSerialHubDriver + - SurfacePlatformInstaller\Drivers\System\I2C + - SurfacePlatformInstaller\Drivers\System\SPI + - SurfacePlatformInstaller\Drivers\System\UART + +Or for newer MSI files beginning with "SurfaceUpdate", use: + +- SurfaceUpdate\SerialIOGPIO +- SurfaceUpdate\IclSerialIOI2C +- SurfaceUpdate\IclSerialIOSPI +- SurfaceUpdate\IclSerialIOUART +- SurfaceUpdate\SurfaceHidMini +- SurfaceUpdate\SurfaceSerialHub + + +To support Surface Laptop 3 with Intel Processor, import the following folders: + +- SurfaceUpdate\IclSerialIOGPIO +- SurfaceUpdate\IclSerialIOI2C +- SurfaceUpdate\IclSerialIOSPI +- SurfaceUpdate\IclSerialIOUART +- SurfaceUpdate\SurfaceHidMini +- SurfaceUpdate\SurfaceSerialHub +- SurfaceUpdate\SurfaceHotPlug + + +6. Verify that the WindowsPEX64 folder now contains the imported drivers. The folder should resemble the following: ![Image that shows the newly imported drivers in the WindowsPEX64 folder of the Deployment Workbench](./images/surface-laptop-keyboard-2.png) -1. Configure a selection profile that uses the WindowsPEX64 folder. The selection profile should resemble the following: +7. Configure a selection profile that uses the WindowsPEX64 folder. The selection profile should resemble the following: ![Image that shows the WindowsPEX64 folder selected as part of a selection profile](./images/surface-laptop-keyboard-3.png) -1. Configure the Windows PE properties of the MDT deployment share to use the new selection profile, as follows: +8. Configure the Windows PE properties of the MDT deployment share to use the new selection profile, as follows: - For **Platform**, select **x64**. - For **Selection profile**, select the new profile. @@ -75,7 +111,7 @@ To add the keyboard drivers to the selection profile, follow these steps: ![Image that shows the Windows PE properties of the MDT Deployment Share](./images/surface-laptop-keyboard-4.png) -1. Verify that you have configured the remaining Surface Laptop drivers by using either a selection profile or a **DriverGroup001** variable. +9. Verify that you have configured the remaining Surface Laptop drivers by using either a selection profile or a **DriverGroup001** variable. - For Surface Laptop (1st Gen), the model is **Surface Laptop**. The remaining Surface Laptop drivers should reside in the \MDT Deployment Share\Out-of-Box Drivers\Windows10\X64\Surface Laptop folder as shown in the figure that follows this list. - For Surface Laptop 2, the model is **Surface Laptop 2**. The remaining Surface Laptop drivers should reside in the \MDT Deployment Share\Out-of-Box Drivers\Windows10\X64\Surface Laptop 2 folder. diff --git a/devices/surface/images/manage-surface-uefi-fig5a.png b/devices/surface/images/manage-surface-uefi-fig5a.png new file mode 100644 index 0000000000..7baecb2fff Binary files /dev/null and b/devices/surface/images/manage-surface-uefi-fig5a.png differ diff --git a/devices/surface/images/manage-surface-uefi-fig7a.png b/devices/surface/images/manage-surface-uefi-fig7a.png new file mode 100644 index 0000000000..62e6536ea8 Binary files /dev/null and b/devices/surface/images/manage-surface-uefi-fig7a.png differ diff --git a/devices/surface/ltsb-for-surface.md b/devices/surface/ltsb-for-surface.md index 225135d993..5e14c8444d 100644 --- a/devices/surface/ltsb-for-surface.md +++ b/devices/surface/ltsb-for-surface.md @@ -10,6 +10,8 @@ ms.author: dansimp ms.topic: article ms.reviewer: manager: dansimp +ms.localizationpriority: medium +ms.audience: itpro --- # Long-Term Servicing Channel (LTSC) for Surface devices @@ -28,23 +30,7 @@ General-purpose Surface devices are intended to run on the Semi-Annual Channel t Surface devices in specialized scenarios–such as PCs that control medical equipment, point-of-sale systems, and ATMs–might consider the use of LTSC. These special-purpose systems typically perform a single task and do not require feature updates as frequently as other devices in the organization. - - - - ## Related topics -- [Surface TechCenter](https://technet.microsoft.com/windows/surface) - -- [Surface for IT pros blog](http://blogs.technet.com/b/surface/) - - - -  - -  - - - - +- [Surface IT Pro Blog](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/bg-p/SurfaceITPro) diff --git a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md index ede174d674..e43a14a63b 100644 --- a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md +++ b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md @@ -1,6 +1,6 @@ --- title: Best practice power settings for Surface devices -description: This topic provides best practice recommendations for maintaining optimal power settings and explains how Surface streamlines the power management experience. +description: This topic provides best practice recommendations for maintaining optimal power settings and explains how Surface streamlines the power management experience. This article applies to all currently supported Surface devices including Surface Pro 7, Surface Pro X, and Surface Laptop 3. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -9,7 +9,9 @@ ms.author: dansimp ms.topic: article ms.reviewer: manager: dansimp -ms.date: 08/21/2019 +ms.localizationpriority: medium +ms.audience: itpro +ms.date: 10/28/2019 --- # Best practice power settings for Surface devices @@ -49,7 +51,7 @@ module (SAM). The SAM chip functions as the Surface device power-policy owner, using algorithms to calculate optimal power requirements. It works in conjunction with Windows power manager to allocate or throttle only the exact amount of power required for hardware components to -function. +function. This article applies to all currently supported Surface devices including Surface Pro 7, Surface Pro X, and Surface Laptop 3. ## Utilizing the custom power profile in Surface diff --git a/devices/surface/manage-surface-uefi-settings.md b/devices/surface/manage-surface-uefi-settings.md index 4de1914275..d205908048 100644 --- a/devices/surface/manage-surface-uefi-settings.md +++ b/devices/surface/manage-surface-uefi-settings.md @@ -17,22 +17,25 @@ manager: dansimp # Manage Surface UEFI settings -Current and future generations of Surface devices, including Surface Pro 7, Surface Book 2, and Surface Studio 2,use a unique UEFI firmware engineered by Microsoft specifically for these devices. This firmware allows for significantly greater control of the device’s operation over firmware versions in earlier generation Surface devices, including the support for touch, mouse, and keyboard operation. By using the Surface UEFI settings you can easily enable or disable internal devices or components, configure security to protect UEFI settings from being changed, and adjust the Surface device boot settings. - ->[!NOTE] ->Surface Pro 3, Surface 3, Surface Pro 2, Surface 2, Surface Pro, and Surface do not use the Surface UEFI and instead use firmware provided by third-party manufacturers, such as AMI. - -You can enter the Surface UEFI settings on your Surface device by pressing the **Volume Up** button and the **Power** button simultaneously. Hold the **Volume Up** button until the Surface logo is displayed, which indicates that the device has begun to boot. +All current and future generations of Surface devices use a unique Unified Extensible Firmware Interface (UEFI) engineered by Microsoft specifically for these devices. Surface UEFI settings provide the ability to enable or disable built-in devices and components, protect UEFI settings from being changed, and adjust the Surface device boot settings. ## Support for cloud-based management + With Device Firmware Configuration Interface (DFCI) profiles built into Microsoft Intune (now available in public preview), Surface UEFI management extends the modern management stack down to the UEFI hardware level. DFCI supports zero-touch provisioning, eliminates BIOS passwords, provides control of security settings including boot options and built-in peripherals, and lays the groundwork for advanced security scenarios in the future. DFCI is currently available for Surface Pro 7, Surface Pro X, and Surface Laptop 3. For more information, refer to [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md). +## Open Surface UEFI menu -## PC information +To adjust UEFI settings during system startup: -On the **PC information** page, detailed information about your Surface device is provided: +1. Shut down your Surface and wait about 10 seconds to make sure it's off. +2. Press and hold the **Volume-up** button and - at the same time - press and release the **Power button.** +3. As the Microsoft or Surface logo appears on your screen, continue to hold the **Volume-up** button until the UEFI screen appears. -- **Model** – Your Surface device’s model will be displayed here, such as Surface Book or Surface Pro 4. The exact configuration of your device is not shown, (such as processor, disk size, or memory size). +## UEFI PC information page + +The PC information page includes detailed information about your Surface device: + +- **Model** – Your Surface device’s model will be displayed here, such as Surface Book 2 or Surface Pro 7. The exact configuration of your device is not shown, (such as processor, disk size, or memory size). - **UUID** – This Universally Unique Identification number is specific to your device and is used to identify the device during deployment or management. - **Serial Number** – This number is used to identify this specific Surface device for asset tagging and support scenarios. @@ -56,9 +59,9 @@ You will also find detailed information about the firmware of your Surface devic You can find up-to-date information about the latest firmware version for your Surface device in the [Surface Update History](https://www.microsoft.com/surface/support/install-update-activate/surface-update-history) for your device. -## Security +## UEFI Security page -On the **Security** page of Surface UEFI settings, you can set a password to protect UEFI settings. This password must be entered when you boot the Surface device to UEFI. The password can contain the following characters (as shown in Figure 2): +The Security page allows you to set a password to protect UEFI settings. This password must be entered when you boot the Surface device to UEFI. The password can contain the following characters (as shown in Figure 2): - Uppercase letters: A-Z @@ -74,21 +77,21 @@ The password must be at least 6 characters and is case sensitive. *Figure 2. Add a password to protect Surface UEFI settings* -On the **Security** page you can also change the configuration of Secure Boot on your Surface device. Secure Boot technology prevents unauthorized boot code from booting on your Surface device, which protects against bootkit and rootkit-type malware infections. You can disable Secure Boot to allow your Surface device to boot third-party operating systems or bootable media. You can also configure Secure Boot to work with third-party certificates, as shown in Figure 3. Read more about [Secure Boot](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview) in the TechNet Library. +On the Security page you can also change the configuration of Secure Boot on your Surface device. Secure Boot technology prevents unauthorized boot code from booting on your Surface device, which protects against bootkit and rootkit-type malware infections. You can disable Secure Boot to allow your Surface device to boot third-party operating systems or bootable media. You can also configure Secure Boot to work with third-party certificates, as shown in Figure 3. Read more about [Secure Boot](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview) in the TechNet Library. ![Configure Secure Boot](images/manage-surface-uefi-fig3.png "Configure Secure Boot") *Figure 3. Configure Secure Boot* -You can also enable or disable the Trusted Platform Module (TPM) device on the **Security** page, as shown in Figure 4. The TPM is used to authenticate encryption for your device’s data with BitLocker. Read more about [BitLocker](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-overview) in the TechNet Library. +You can also enable or disable the Trusted Platform Module (TPM) device on the Security page, as shown in Figure 4. The TPM is used to authenticate encryption for your device’s data with BitLocker. Read more about [BitLocker](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-overview) in the TechNet Library. ![Configure Surface UEFI security settings](images/manage-surface-uefi-fig4.png "Configure Surface UEFI security settings") *Figure 4. Configure Surface UEFI security settings* -## Devices +## UEFI menu: Devices -On the **Devices** page you can enable or disable specific devices and components of your Surface device. Devices that you can enable or disable on this page include: +The Devices page allows you to enable or disable specific devices and components including: - Docking and USB Ports @@ -106,13 +109,13 @@ On the **Devices** page you can enable or disable specific devices and component Each device is listed with a slider button that you can move to **On** (enabled) or **Off** (disabled) position, as shown in Figure 5. -![Enable and disable specific devices](images/manage-surface-uefi-fig5.png "Enable and disable specific devices") +![Enable and disable specific devices](images/manage-surface-uefi-fig5a.png "Enable and disable specific devices") *Figure 5. Enable and disable specific devices* -## Boot configuration +## UEFI menu: Boot configuration -On the **Boot Configuration** page, you can change the order of your boot devices and/or enable or disable boot of the following devices: +The Boot Configuration page allows you to change the order of your boot devices as well as enable or disable boot of the following devices: - Windows Boot Manager @@ -132,68 +135,83 @@ For the specified boot order to take effect, you must set the **Enable Alternate You can also turn on and off IPv6 support for PXE with the **Enable IPv6 for PXE Network Boot** option, for example when performing a Windows deployment using PXE where the PXE server is configured for IPv4 only. +## UEFI menu: Management +The Management page allows you to manage use of Zero Touch UEFI Management and other features on eligible devices including Surface Pro 7, Surface Pro X, and Surface Laptop 3. -## Exit +![Manage access to Zero Touch UEFI Management and other features](images/manage-surface-uefi-fig7a.png "Manage access to Zero Touch UEFI Management and other features") +*Figure 7. Manage access to Zero Touch UEFI Management and other features* -Use the **Restart Now** button on the **Exit** page to exit UEFI settings, as shown in Figure 7. + +Zero Touch UEFI Management lets you remotely manage UEFI settings by using a device profile within Intune called Device Firmware Configuration Interface (DFCI). If you do not configure this setting, the ability to manage eligible devices with DFCI is set to **Ready**. To prevent DFCI, select **Opt-Out**. + +> [!NOTE] +> The UEFI Management settings page and use of DFCI is only available on Surface Pro 7, Surface Pro X, and Surface Laptop 3. + +For more information, refer to [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md). + +## UEFI menu: Exit + +Use the **Restart Now** button on the **Exit** page to exit UEFI settings, as shown in Figure 8. ![Exit Surface UEFI and restart the device](images/manage-surface-uefi-fig7.png "Exit Surface UEFI and restart the device") -*Figure 7. Click Restart Now to exit Surface UEFI and restart the device* +*Figure 8. Click Restart Now to exit Surface UEFI and restart the device* ## Surface UEFI boot screens -When you update Surface device firmware, by using either Windows Update or manual installation, the updates are not applied immediately to the device, but instead during the next reboot cycle. You can find out more about the Surface firmware update process in [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates). The progress of the firmware update is displayed on a screen with progress bars of differing colors to indicate the firmware for each component. Each component’s progress bar is shown in Figures 8 through 17. +When you update Surface device firmware, by using either Windows Update or manual installation, the updates are not applied immediately to the device, but instead during the next reboot cycle. You can find out more about the Surface firmware update process in [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates). The progress of the firmware update is displayed on a screen with progress bars of differing colors to indicate the firmware for each component. Each component’s progress bar is shown in Figures 9 through 18. ![Surface UEFI firmware update with blue progress bar](images/manage-surface-uefi-fig8.png "Surface UEFI firmware update with blue progress bar") -*Figure 8. The Surface UEFI firmware update displays a blue progress bar* +*Figure 9. The Surface UEFI firmware update displays a blue progress bar* ![System Embedded Controller firmware with green progress bar](images/manage-surface-uefi-fig9.png "System Embedded Controller firmware with green progress bar") -*Figure 9. The System Embedded Controller firmware update displays a green progress bar* +*Figure 10. The System Embedded Controller firmware update displays a green progress bar* ![SAM Controller firmware update with orange progress bar](images/manage-surface-uefi-fig10.png "SAM Controller firmware update with orange progress bar") -*Figure 10. The SAM Controller firmware update displays an orange progress bar* +*Figure 11. The SAM Controller firmware update displays an orange progress bar* ![Intel Management Engine firmware with red progress bar](images/manage-surface-uefi-fig11.png "Intel Management Engine firmware with red progress bar") -*Figure 11. The Intel Management Engine firmware update displays a red progress bar* +*Figure 12. The Intel Management Engine firmware update displays a red progress bar* ![Surface touch firmware with gray progress bar](images/manage-surface-uefi-fig12.png "Surface touch firmware with gray progress bar") -*Figure 12. The Surface touch firmware update displays a gray progress bar* +*Figure 13. The Surface touch firmware update displays a gray progress bar* ![Surface KIP firmware with light green progress bar](images/manage-surface-uefi-fig13.png "Surface touch firmware with light green progress bar") -*Figure 13. The Surface KIP firmware update displays a light green progress bar* +*Figure 14. The Surface KIP firmware update displays a light green progress bar* ![Surface ISH firmware with pink progress bar](images/manage-surface-uefi-fig14.png "Surface ISH firmware with pink progress bar") -*Figure 14. The Surface ISH firmware update displays a light pink progress bar* +*Figure 15. The Surface ISH firmware update displays a light pink progress bar* ![Surface Trackpad firmware with gray progress bar](images/manage-surface-uefi-fig15.png "Surface Trackpad firmware with gray progress bar") -*Figure 15. The Surface Trackpad firmware update displays a pink progress bar* +*Figure 16. The Surface Trackpad firmware update displays a pink progress bar* ![Surface TCON firmware with light gray progress bar](images/manage-surface-uefi-fig16.png "Surface TCON firmware with light gray progress bar") -*Figure 16. The Surface TCON firmware update displays a light gray progress bar* +*Figure 17. The Surface TCON firmware update displays a light gray progress bar* ![Surface TPM firmware with light purple progress bar](images/manage-surface-uefi-fig17.png "Surface TPM firmware with purple progress bar") -*Figure 17. The Surface TPM firmware update displays a purple progress bar* +*Figure 18. The Surface TPM firmware update displays a purple progress bar* >[!NOTE] ->An additional warning message that indicates Secure Boot is disabled is displayed, as shown in Figure 18. +>An additional warning message that indicates Secure Boot is disabled is displayed, as shown in Figure 19. ![Surface boot screen that indicates Secure Boot has been disabled](images/manage-surface-uefi-fig18.png "Surface boot screen that indicates Secure Boot has been disabled") -*Figure 18. Surface boot screen that indicates Secure Boot has been disabled in Surface UEFI settings* +*Figure 19. Surface boot screen that indicates Secure Boot has been disabled in Surface UEFI settings* ## Related topics -[Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md) +- [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md) + +- [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) \ No newline at end of file diff --git a/devices/surface/microsoft-surface-brightness-control.md b/devices/surface/microsoft-surface-brightness-control.md index 4a37b1fd9d..8c512f48c2 100644 --- a/devices/surface/microsoft-surface-brightness-control.md +++ b/devices/surface/microsoft-surface-brightness-control.md @@ -8,9 +8,11 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 1/15/2019 +ms.date: 10/31/2019 ms.reviewer: hachidan manager: dansimp +ms.localizationpriority: medium +ms.audience: itpro --- # Surface Brightness Control diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md index 1cfe727788..7fbd031cf5 100644 --- a/devices/surface/microsoft-surface-deployment-accelerator.md +++ b/devices/surface/microsoft-surface-deployment-accelerator.md @@ -4,7 +4,7 @@ description: Microsoft Surface Deployment Accelerator provides a quick and simpl ms.assetid: E7991E90-4AAE-44B6-8822-58BFDE3EADE4 ms.reviewer: hachidan manager: dansimp -ms.date: 07/27/2017 +ms.date: 10/31/2019 ms.localizationpriority: medium keywords: deploy, install, tool ms.prod: w10 @@ -19,7 +19,6 @@ ms.audience: itpro # Microsoft Surface Deployment Accelerator - Microsoft Surface Deployment Accelerator (SDA) automates the creation and configuration of a Microsoft recommended deployment experience by using free Microsoft deployment tools. > [!NOTE] diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md index 0fac7db7a9..488bd63a15 100644 --- a/devices/surface/step-by-step-surface-deployment-accelerator.md +++ b/devices/surface/step-by-step-surface-deployment-accelerator.md @@ -13,7 +13,7 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 07/27/2017 +ms.date: 10/31/2019 --- # Step by step: Surface Deployment Accelerator diff --git a/devices/surface/support-solutions-surface.md b/devices/surface/support-solutions-surface.md index 39f66879fb..8dd12ede7c 100644 --- a/devices/surface/support-solutions-surface.md +++ b/devices/surface/support-solutions-surface.md @@ -14,6 +14,7 @@ ms.author: dansimp ms.topic: article ms.date: 09/26/2019 ms.localizationpriority: medium +ms.audience: itpro --- # Top support solutions for Surface devices diff --git a/devices/surface/surface-diagnostic-toolkit-business.md b/devices/surface/surface-diagnostic-toolkit-business.md index 28726e9c2d..62c4129d08 100644 --- a/devices/surface/surface-diagnostic-toolkit-business.md +++ b/devices/surface/surface-diagnostic-toolkit-business.md @@ -3,12 +3,12 @@ title: Deploy Surface Diagnostic Toolkit for Business description: This topic explains how to use the Surface Diagnostic Toolkit for Business. ms.prod: w10 ms.mktglfcycl: manage -ms.localizationpriority: normal +ms.localizationpriority: medium ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 09/27/2019 +ms.date: 10/31/2019 ms.reviewer: hachidan manager: dansimp ms.audience: itpro @@ -172,9 +172,10 @@ You can select to run a wide range of logs across applications, drivers, hardwar ## Changes and updates ### Version 2.43.139.0 *Release date: October 21, 2019*
-This version of Surface Diagnostic Toolkit for Business adds support for the following: --Surface Pro 7 --Surface Laptop 3 +This version of Surface Diagnostic Toolkit for Business adds support for the following: + +- Surface Pro 7 +- Surface Laptop 3 ### Version 2.42.139.0 *Release date: September 24, 2019*
diff --git a/devices/surface/surface-diagnostic-toolkit-command-line.md b/devices/surface/surface-diagnostic-toolkit-command-line.md index 7359067813..f1e3460df4 100644 --- a/devices/surface/surface-diagnostic-toolkit-command-line.md +++ b/devices/surface/surface-diagnostic-toolkit-command-line.md @@ -16,7 +16,7 @@ ms.audience: itpro # Run Surface Diagnostic Toolkit for Business using commands -Running the Surface Diagnostic Toolkit (SDT) at a command prompt requires downloading the STD app console. After it's installed, you can run SDT at a command prompt via the Windows command console (cmd.exe) or using Windows PowerShell, including PowerShell Integrated Scripting Environment (ISE), which provides support for autocompletion of commands, copy/paste, and other features. +Running the Surface Diagnostic Toolkit (SDT) at a command prompt requires downloading the STD app console. After it's installed, you can run SDT at a command prompt via the Windows command console (cmd.exe) or using Windows PowerShell, including PowerShell Integrated Scripting Environment (ISE), which provides support for autocompletion of commands, copy/paste, and other features. For a list of supported Surface devices in SDT, refer to [Deploy Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md). >[!NOTE] >To run SDT using commands, you must be signed in to the Administrator account or signed in to an account that is a member of the Administrator group on your Surface device. diff --git a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md index 4d8b505670..738ec1ecae 100644 --- a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md +++ b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md @@ -7,36 +7,34 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 11/15/2018 +ms.date: 10/31/2019 ms.reviewer: hachidan manager: dansimp -ms.localizationpriority: normal +ms.localizationpriority: medium ms.audience: itpro --- # Use Surface Diagnostic Toolkit for Business in desktop mode -This topic explains how to use the Surface Diagnostic Toolkit (SDT) to help users in your organization run the tool to identify and diagnose issues with the Surface device. Successfully running SDT can quickly determine if a reported issue is caused by failed hardware or user error. +This topic explains how to use the Surface Diagnostic Toolkit (SDT) to help users in your organization run the tool to identify and diagnose issues with the Surface device. Successfully running SDT can quickly determine if a reported issue is caused by failed hardware or user error. For a list of supported Surface devices in SDT, refer to [Deploy Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md). + 1. Direct the user to install [the SDT package](surface-diagnostic-toolkit-business.md#create-custom-sdt) from a software distribution point or network share. After it is installed, you’re ready to guide the user through a series of tests. 2. Begin at the home page, which allows users to enter a description of the issue, and click **Continue**, as shown in figure 1. ![Start SDT in desktop mode](images/sdt-desk-1.png) - - *Figure 1. SDT in desktop mode* +*Figure 1. SDT in desktop mode* 3. When SDT indicates the device has the latest updates, click **Continue** to advance to the catalog of available tests, as shown in figure 2. ![Select from SDT options](images/sdt-desk-2.png) - - *Figure 2. Select from SDT options* +*Figure 2. Select from SDT options* 4. You can choose to run all the diagnostic tests. Or, if you already suspect a particular issue such as a faulty display or a power supply problem, click **Select** to choose from the available tests and click **Run Selected**, as shown in figure 3. See the following table for details of each test. ![Select hardware tests](images/sdt-desk-3.png) - - *Figure 3. Select hardware tests* +*Figure 3. Select hardware tests* Hardware test | Description --- | --- @@ -55,6 +53,7 @@ This topic explains how to use the Surface Diagnostic Toolkit (SDT) to help user + ## Running multiple hardware tests to troubleshoot issues SDT is designed as an interactive tool that runs a series of tests. For each test, SDT provides instructions summarizing the nature of the test and what users should expect or look for in order for the test to be successful. For example, to diagnose if the display brightness is working properly, SDT starts at zero and increases the brightness to 100 percent, asking users to confirm – by answering **Yes** or **No** -- that brightness is functioning as expected, as shown in figure 4. @@ -62,7 +61,6 @@ SDT is designed as an interactive tool that runs a series of tests. For each tes For each test, if functionality does not work as expected and the user clicks **No**, SDT generates a report of the possible causes and ways to troubleshoot it. ![Running hardware diagnostics](images/sdt-desk-4.png) - *Figure 4. Running hardware diagnostics* 1. If the brightness successfully adjusts from 0-100 percent as expected, direct the user to click **Yes** and then click **Continue**. @@ -75,24 +73,18 @@ For each test, if functionality does not work as expected and the user clicks ** SDT enables you to diagnose and repair applications that may be causing issues, as shown in figure 5. ![Running repairs](images/sdt-desk-5.png) - *Figure 5. Running repairs* - - - - + ### Generating logs for analyzing issues SDT provides extensive log-enabled diagnosis support across applications, drivers, hardware, and operating system issues, as shown in figure 6. ![Generating logs](images/sdt-desk-6.png) - *Figure 6. Generating logs* - - + ### Generating detailed report comparing device vs. optimal configuration Based on the logs, SDT generates a report for software- and firmware-based issues that you can save to a preferred location. diff --git a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md index 35c9b5f49f..df3918d715 100644 --- a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md +++ b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md @@ -10,7 +10,7 @@ ms.topic: article ms.date: 06/11/2019 ms.reviewer: cottmca manager: dansimp -ms.localizationpriority: normal +ms.localizationpriority: medium ms.audience: itpro --- diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index ffd159f4a1..8fa4e11515 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -8,7 +8,7 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 09/18/2019 +ms.date: 10/09/2019 ms.reviewer: scottmca manager: dansimp ms.audience: itpro @@ -47,8 +47,14 @@ You can use Windows Installer commands (Msiexec.exe) to deploy Surface Dock Firm - **Msiexec.exe /i /quiet /norestart** +> [!NOTE] +> A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]" + For more information, refer to [Command line options](https://docs.microsoft.com/windows/win32/msi/command-line-options) documentation. +> [!IMPORTANT] +> If you want to keep your Surface Dock updated using any other method, refer to [Update your Surface Dock](https://support.microsoft.com/help/4023478/surface-update-your-surface-dock) for details. + ## Intune deployment You can use Intune to distribute Surface Dock Firmware Update to your devices. First you will need to convert the MSI file to the .intunewin format, as described in the following documentation: [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps/apps-win32-app-management). @@ -84,8 +90,8 @@ Successful completion of Surface Dock Firmware Update results in new registry ke | Log | Location | Notes | | -------------------------------- | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Surface Dock Firmware Update log | /l*v %windir%\logs\Applications\SurfaceDockFWI.log | Earlier versions of this tool wrote events to Applications and Services Logs\Microsoft Surface Dock Updater. | -| Windows Device Install log | %windir%\inf\ setupapi.dev.log | For more information about using Device Install Log, refer [to SetupAPI Logging](https://docs.microsoft.com/windows-hardware/drivers/install/setupapi-logging--windows-vista-and-later-) documentation. | +| Surface Dock Firmware Update log | Path needs to be specified (see note) | Earlier versions of this tool wrote events to Applications and Services Logs\Microsoft Surface Dock Updater. | +| Windows Device Install log | %windir%\inf\setupapi.dev.log | For more information about using Device Install Log, refer to [SetupAPI Logging](https://docs.microsoft.com/windows-hardware/drivers/install/setupapi-logging--windows-vista-and-later-). | **Table 2. Event log IDs for Surface Dock Firmware Update** @@ -97,6 +103,10 @@ Successful completion of Surface Dock Firmware Update results in new registry ke | 2003 | Dock firmware update failed to get firmware version. | | 2004 | Querying the firmware version. | | 2005 | Dock firmware failed to start update. | +| 2006 | Failed to send offer/payload pairs. | +| 2007 | Firmware update finished. | +| 2008 | BEGIN dock telemetry. | +| 2011 | END dock telemetry. | ## Troubleshooting tips diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md index 32c1f38406..cc1aa4bfd1 100644 --- a/devices/surface/surface-enterprise-management-mode.md +++ b/devices/surface/surface-enterprise-management-mode.md @@ -9,9 +9,11 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 01/06/2017 -ms.reviewer: +ms.date: 10/31/2019 +ms.reviewer: scottmca manager: dansimp +ms.localizationpriority: medium +ms.audience: itpro --- # Microsoft Surface Enterprise Management Mode @@ -19,12 +21,14 @@ manager: dansimp Microsoft Surface Enterprise Management Mode (SEMM) is a feature of Surface devices with Surface UEFI that allows you to secure and manage firmware settings within your organization. With SEMM, IT professionals can prepare configurations of UEFI settings and install them on a Surface device. In addition to the ability to configure UEFI settings, SEMM also uses a certificate to protect the configuration from unauthorized tampering or removal. >[!NOTE] ->SEMM is only available on devices with Surface UEFI firmware such as Surface Pro 4 and later, Surface Go, Surface Laptop, Surface Book, and Surface Studio. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings). +>SEMM is only available on devices with Surface UEFI firmware. + When Surface devices are configured by SEMM and secured with the SEMM certificate, they are considered *enrolled* in SEMM. When the SEMM certificate is removed and control of UEFI settings is returned to the user of the device, the Surface device is considered *unenrolled* in SEMM. There are two administrative options you can use to manage SEMM and enrolled Surface devices – a standalone tool or integration with System Center Configuration Manager. The SEMM standalone tool, called the Microsoft Surface UEFI Configurator, is described in this article. For more information about how to manage SEMM with System Center Configuration Manager, see [Use System Center Configuration Manager to manage devices with SEMM](https://technet.microsoft.com/itpro/surface/use-system-center-configuration-manager-to-manage-devices-with-semm). + ## Microsoft Surface UEFI Configurator The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown in Figure 1. Microsoft Surface UEFI Configurator is a tool that is used to create Windows Installer (.msi) packages or WinPE images that are used to enroll, configure, and unenroll SEMM on a Surface device. These packages contain a configuration file where the settings for UEFI are specified. SEMM packages also contain a certificate that is installed and stored in firmware and used to verify the signature of configuration files before UEFI settings are applied. @@ -33,8 +37,6 @@ The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown i *Figure 1. Microsoft Surface UEFI Configurator* ->[!NOTE] ->Windows 10 is required to run Microsoft Surface UEFI Configurator You can use the Microsoft Surface UEFI Configurator tool in three modes: @@ -62,17 +64,11 @@ See the [Surface Enterprise Management Mode certificate requirements](#surface-e After a device is enrolled in SEMM, the configuration file is read and the settings specified in the file are applied to UEFI. When you run a configuration package on a device that is already enrolled in SEMM, the signature of the configuration file is checked against the certificate that is stored in the device firmware. If the signature does not match, no changes are applied to the device. -You can use Surface UEFI settings to enable or disable the operation of individual components, such as cameras, wireless communication, or docking USB port (as shown in Figure 3), and configure advanced settings (as shown in Figure 4). +### Enable or disable devices in Surface UEFI with SEMM -![Enable or disable devices in Surface UEFI with SEMM](images/surface-ent-mgmt-fig3-enabledisable.png "Enable or disable devices in Surface UEFI with SEMM") + The built in devices that appear in the UEFI Devices page may vary depending on your device or corporate environment; for example, LTE only appears on devices equipped with LTE support. -*Figure 3. Enable or disable devices in Surface UEFI with SEMM* - -![Configure advanced settings in SEMM](images/surface-ent-mgmt-fig4-advancedsettings.png "Configure advanced settings in SEMM") - -*Figure 4. Configure advanced settings with SEMM* - -You can enable or disable the following devices with SEMM: + The following list shows all the available devices you can manage in SEMM: * Docking USB Port * On-board Audio @@ -86,31 +82,38 @@ You can enable or disable the following devices with SEMM: * Wi-Fi and Bluetooth * LTE -You can configure the following advanced settings with SEMM: +### Configure advanced settings with SEMM +**Table 1. Advanced settings** + +| Setting | Description | +| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| IPv6 for PXE Boot | Allows you to manage Ipv6 support for PXE boot. If you do not configure this setting, IPv6 support for PXE boot is disabled. | +| Alternate Boot | Allows you to manage use of an Alternate boot order to boot directly to a USB or Ethernet device by pressing both the Volume Down button and Power button during boot. If you do not configure this setting, Alternate boot is enabled. | +| Boot Order Lock | Allows you to lock the boot order to prevent changes. If you do not configure this setting, Boot Order Lock is disabled. | +| USB Boot | Allows you to manage booting to USB devices. If you do not configure this setting, USB Boot is enabled. | +| Network Stack | Allows you to manage Network Stack boot settings. If you do not configure this setting, the ability to manage Network Stack boot settings is enabled. | +| Auto Power On | Allows you to manage Auto Power On boot settings. If you do not configure this setting, Auto Power on is enabled. | +| Simultaneous Multi-Threading (SMT) | Allows you to manage Simultaneous Multi-Threading (SMT) to enable or disable hyperthreading. If you do not configure this setting, SMT is enabled. | +|Enable Battery limit| Allows you to manage Battery limit functionality. If you do not configure this setting, Battery limit is enabled | +| Security | Displays the Surface UEFI **Security** page. If you do not configure this setting, the Security page is displayed. | +| Devices | Displays the Surface UEFI **Devices** page. If you do not configure this setting, the Devices page is displayed. | +| Boot | Displays the Surface UEFI **Boot** page. If you do not configure this setting, the DateTime page is displayed. | +| DateTime | Displays the Surface UEFI **DateTime** page. If you do not configure this setting, the DateTime page is displayed. | + -* IPv6 support for PXE boot -* Alternate boot order, where the Volume Down button and Power button can be pressed together during boot, to boot directly to a USB or Ethernet device -* Lock the boot order to prevent changes -* Support for booting to USB devices -* Enable Network Stack boot settings -* Enable Auto Power On boot settings -* Display of the Surface UEFI **Security** page -* Display of the Surface UEFI **Devices** page -* Display of the Surface UEFI **Boot** page -* Display of the Surface UEFI **DateTime** page >[!NOTE] ->When you create a SEMM configuration package, two characters are shown on the **Successful** page, as shown in Figure 5. +>When you create a SEMM configuration package, two characters are shown on the **Successful** page, as shown in Figure 3. ![Certificate thumbprint display](images/surface-ent-mgmt-fig5-success.png "Certificate thumbprint display") -*Figure 5. Display of the last two characters of the certificate thumbprint on the Successful page* +*Figure 3. Display of the last two characters of the certificate thumbprint on the Successful page* -These characters are the last two characters of the certificate thumbprint and should be written down or recorded. The characters are required to confirm enrollment in SEMM on a Surface device, as shown in Figure 6. +These characters are the last two characters of the certificate thumbprint and should be written down or recorded. The characters are required to confirm enrollment in SEMM on a Surface device, as shown in Figure 4. ![Enrollment confirmation in SEMM](images/surface-ent-mgmt-fig6-enrollconfirm.png "Enrollment confirmation in SEMM") -*Figure 6. Enrollment confirmation in SEMM with the SEMM certificate thumbprint* +*Figure 4. Enrollment confirmation in SEMM with the SEMM certificate thumbprint* >[!NOTE] >Administrators with access to the certificate file (.pfx) can read the thumbprint at any time by opening the .pfx file in CertMgr. To view the thumbprint with CertMgr, follow this process: @@ -132,11 +135,11 @@ A Surface UEFI reset package is used to perform only one task — to unenroll a ### Recovery request -In some scenarios, it may be impossible to use a Surface UEFI reset package. (For example, if Windows becomes unusable on the Surface device.) In these scenarios you can unenroll the Surface device from SEMM through the **Enterprise Management** page of Surface UEFI (shown in Figure 7) with a Recovery Request operation. +In some scenarios, it may be impossible to use a Surface UEFI reset package. (For example, if Windows becomes unusable on the Surface device.) In these scenarios you can unenroll the Surface device from SEMM through the **Enterprise Management** page of Surface UEFI (shown in Figure 5) with a Recovery Request operation. ![Initiate a SEMM recovery request](images/surface-ent-mgmt-fig7-semmrecovery.png "Initiate a SEMM recovery request") -*Figure 7. Initiate a SEMM recovery request on the Enterprise Management page* +*Figure 5. Initiate a SEMM recovery request on the Enterprise Management page* When you use the process on the **Enterprise Management** page to reset SEMM on a Surface device, you are provided with a Reset Request. This Reset Request can be saved as a file to a USB drive, copied as text, or read as a QR Code with a mobile device to be easily emailed or messaged. Use the Microsoft Surface UEFI Configurator Reset Request option to load a Reset Request file or enter the Reset Request text or QR Code. Microsoft Surface UEFI Configurator will generate a verification code that can be entered on the Surface device. If you enter the code on the Surface device and click **Restart**, the device will be unenrolled from SEMM. diff --git a/devices/surface/surface-system-sku-reference.md b/devices/surface/surface-system-sku-reference.md index 6b6e75f7d4..74c348d2d1 100644 --- a/devices/surface/surface-system-sku-reference.md +++ b/devices/surface/surface-system-sku-reference.md @@ -9,9 +9,11 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 03/20/2019 +ms.date: 10/31/2019 ms.reviewer: manager: dansimp +ms.localizationpriority: medium +ms.audience: itpro --- # System SKU reference @@ -39,6 +41,11 @@ System Model and System SKU are variables that are stored in the System Manageme | Surface Pro 6 Commercial | Surface Pro 6 | Surface_Pro_6_1796_Commercial | | Surface Laptop 2 Consumer | Surface Laptop 2 | Surface_Laptop_2_1769_Consumer | | Surface Laptop 2 Commercial | Surface Laptop 2 | Surface_Laptop_2_1769_Commercial | +| Surface Pro 7 | Surface Pro 7 | Surface_Pro_7_1866 | +| Surface Pro X | Surface Pro X | Surface_Pro_X_1876 | +| Surface Laptop 3 13" Intel | Surface Laptop 3 | Surface_Laptop_3_1867:1868 | +| Surface Laptop 3 15" Intel | Surface Laptop 3 | Surface_Laptop_3_1872 | +| Surface Laptop 3 15" AMD | Surface Laptop 3 | Surface_Laptop_3_1873 | ## Examples diff --git a/devices/surface/surface-wireless-connect.md b/devices/surface/surface-wireless-connect.md index fbbaec21e8..6e225137c2 100644 --- a/devices/surface/surface-wireless-connect.md +++ b/devices/surface/surface-wireless-connect.md @@ -6,16 +6,15 @@ ms.mktglfcycl: manage ms.sitesec: library author: dansimp ms.audience: itpro -ms.localizationpriority: normal +ms.localizationpriority: medium ms.author: dansimp ms.topic: article -ms.date: 08/15/2019 +ms.date: 10/31/2019 ms.reviewer: tokatz manager: dansimp --- # Optimize Wi-Fi connectivity for Surface devices -## Introduction To stay connected with all-day battery life, Surface devices implement wireless connectivity settings that balance performance and power conservation. Outside of the most demanding mobility scenarios, users can maintain sufficient wireless connectivity without modifying default network adapter or related settings. @@ -32,7 +31,7 @@ If you’re managing a wireless network that’s typically accessed by many diff - **802.11r.** “**Fast BSS Transition”** accelerates connecting to new wireless access points by reducing the number of frames required before your device can access another AP as you move around with your device. - **802.11k.** **“Neighbor Reports”** provides devices with information on current conditions at neighboring access points. It can help your Surface device choose the best AP using criteria other than signal strength such as AP utilization. -Surface Go devices can also use 802.11v “BSS Transition Management Frames,” which functions much like 802.11k in providing information on nearby candidate APs. +Specific Surface devices can also use 802.11v “BSS Transition Management Frames,” which functions much like 802.11k in providing information on nearby candidate APs. These include Surface Go, Surface Pro 7, Surface Pro X, and Surface Laptop 3. ## Managing user settings diff --git a/devices/surface/unenroll-surface-devices-from-semm.md b/devices/surface/unenroll-surface-devices-from-semm.md index edcfcdf120..39b70f6006 100644 --- a/devices/surface/unenroll-surface-devices-from-semm.md +++ b/devices/surface/unenroll-surface-devices-from-semm.md @@ -12,6 +12,8 @@ ms.topic: article ms.date: 01/06/2017 ms.reviewer: manager: dansimp +ms.localizationpriority: medium +ms.audience: itpro --- # Unenroll Surface devices from SEMM diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md index 0432c65257..6c29966521 100644 --- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md +++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md @@ -9,9 +9,11 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 02/01/2017 +ms.date: 10/31/2019 ms.reviewer: manager: dansimp +ms.localizationpriority: medium +ms.audience: itpro --- # Use System Center Configuration Manager to manage devices with SEMM @@ -382,7 +384,7 @@ To configure Surface UEFI settings or permissions for Surface UEFI settings, you The computer where ShowSettingsOptions.ps1 is run must have Microsoft Surface UEFI Manager installed, but the script does not require a Surface device. -The following tables show the available settings for Surface Pro 4 and Surface Book: +The following tables show the available settings for Surface Pro 4 and later including Surface Pro 7, Surface Book, Surface Laptop 3, and Surface Go. *Table 1. Surface UEFI settings for Surface Pro 4* diff --git a/education/developers.yml b/education/developers.yml new file mode 100644 index 0000000000..23f2c74297 --- /dev/null +++ b/education/developers.yml @@ -0,0 +1,33 @@ +### YamlMime:Hub + +title: M365 Education Documentation for developers +summary: Are you an app developer looking for information about developing solutions on Microsoft Education products? Start here. + +metadata: + title: M365 Education Documentation for developers + description: Are you an app developer looking for information about developing solutions on Microsoft Education products? Start here. + ms.service: help + ms.topic: hub-page + author: v-lamoyn + ms.author: v-lamoyn + ms.date: 10/24/2019 + +additionalContent: + sections: + - items: + # Card + - title: UWP apps for education + summary: Learn how to write universal apps for education. + url: https://docs.microsoft.com/en-us/windows/uwp/apps-for-education/ + # Card + - title: Take a test API + summary: Learn how web applications can use the API to provide a locked down experience for taking tests. + url: https://docs.microsoft.com/en-us/windows/uwp/apps-for-education/take-a-test-api + # Card + - title: Office Education Dev center + summary: Integrate with Office 365 across devices and services to extend Microsoft enterprise-scale compliance and security to students, teachers, and staff in your education app + url: https://dev.office.com/industry-verticals/edu + # Card + - title: Data Streamer + summary: Bring new STEM experiences into the classroom with real-time data in Excel using Data Streamer. Data Streamer can send data to Excel from a sensor or application. + url: https://docs.microsoft.com/en-us/microsoft-365/education/data-streamer \ No newline at end of file diff --git a/education/docfx.json b/education/docfx.json index 15587928ef..91c875c200 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -32,9 +32,8 @@ "audience": "ITPro", "breadcrumb_path": "/education/breadcrumb/toc.json", "ms.date": "05/09/2017", - "feedback_system": "GitHub", - "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "feedback_system": "None", + "hideEdit": true, "_op_documentIdPathDepotMapping": { "./": { "depot_name": "Win.education", diff --git a/education/images/EDU-Apps-Mgmt.svg b/education/images/EDU-Apps-Mgmt.svg new file mode 100644 index 0000000000..862f0e12ff --- /dev/null +++ b/education/images/EDU-Apps-Mgmt.svg @@ -0,0 +1 @@ +EDU-Apps-Mgmt-50px \ No newline at end of file diff --git a/education/images/EDU-Deploy.svg b/education/images/EDU-Deploy.svg new file mode 100644 index 0000000000..1a0d67fd67 --- /dev/null +++ b/education/images/EDU-Deploy.svg @@ -0,0 +1 @@ +EDU-Deploy-50px \ No newline at end of file diff --git a/education/images/EDU-Device-Mgmt.svg b/education/images/EDU-Device-Mgmt.svg new file mode 100644 index 0000000000..92fb95141f --- /dev/null +++ b/education/images/EDU-Device-Mgmt.svg @@ -0,0 +1 @@ +EDU-Device-Mgmt-50px \ No newline at end of file diff --git a/education/images/EDU-Education.svg b/education/images/EDU-Education.svg new file mode 100644 index 0000000000..146dd00257 --- /dev/null +++ b/education/images/EDU-Education.svg @@ -0,0 +1 @@ +EDU-Education-50px \ No newline at end of file diff --git a/education/images/EDU-Lockbox.svg b/education/images/EDU-Lockbox.svg new file mode 100644 index 0000000000..8133127433 --- /dev/null +++ b/education/images/EDU-Lockbox.svg @@ -0,0 +1 @@ +EDU-Lockbox-50px \ No newline at end of file diff --git a/education/images/EDU-Tasks.svg b/education/images/EDU-Tasks.svg new file mode 100644 index 0000000000..f1339ea705 --- /dev/null +++ b/education/images/EDU-Tasks.svg @@ -0,0 +1 @@ +EDU-Tasks-50px \ No newline at end of file diff --git a/education/images/EDUAdmins.svg b/education/images/EDUAdmins.svg new file mode 100644 index 0000000000..d512fb942f --- /dev/null +++ b/education/images/EDUAdmins.svg @@ -0,0 +1 @@ +EDUAdmins-50px \ No newline at end of file diff --git a/education/images/EDUDevelopers.svg b/education/images/EDUDevelopers.svg new file mode 100644 index 0000000000..900159699a --- /dev/null +++ b/education/images/EDUDevelopers.svg @@ -0,0 +1 @@ +EDUDevelopers-50px \ No newline at end of file diff --git a/education/images/EDUPartners.svg b/education/images/EDUPartners.svg new file mode 100644 index 0000000000..01b80c9a42 --- /dev/null +++ b/education/images/EDUPartners.svg @@ -0,0 +1 @@ +EDUPartners-50px \ No newline at end of file diff --git a/education/index.md b/education/index.md deleted file mode 100644 index c36a33ee36..0000000000 --- a/education/index.md +++ /dev/null @@ -1,253 +0,0 @@ ---- -layout: HubPage -hide_bc: true -title: Microsoft 365 Education documentation and resources | Microsoft Docs -description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers. -author: dansimp -ms.topic: hub-page -ms.author: dansimp -ms.collection: ITAdminEDU -ms.date: 10/30/2017 -ms.prod: w10 ---- -
-
-

Microsoft Education documentation and resources

-
-
diff --git a/education/index.yml b/education/index.yml new file mode 100644 index 0000000000..dc0e6fa938 --- /dev/null +++ b/education/index.yml @@ -0,0 +1,35 @@ +### YamlMime:Hub + +title: M365 Education Documentation +summary: Microsoft 365 Education empowers educators to unlock creativity, promote teamwork, and provide a simple and safe experience in a single, affordable solution built for education. + +metadata: + title: M365 Education Documentation + description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers. + ms.service: help + ms.topic: hub-page + author: v-lamoyn + ms.author: v-lamoyn + ms.date: 10/24/2019 + +productDirectory: + items: + # Card + - title: IT Admins + # imageSrc should be square in ratio with no whitespace + imageSrc: ./images/EDUAdmins.svg + links: + - url: itadmins.yml + text: Get started with deploying and managing a full cloud IT solution for your school. + # Card + - title: Developers + imageSrc: ./images/EDUDevelopers.svg + links: + - url: developers.yml + text: Looking for information about developing solutions on Microsoft Education products? Start here. + # Card + - title: Partners + imageSrc: ./images/EDUPartners.svg + links: + - url: partners.yml + text: Looking for resources available to Microsoft Education partners? Start here. \ No newline at end of file diff --git a/education/itadmins.yml b/education/itadmins.yml new file mode 100644 index 0000000000..dc37e8803d --- /dev/null +++ b/education/itadmins.yml @@ -0,0 +1,96 @@ +### YamlMime:Hub + +title: M365 Education Documentation for IT admins +summary: M365 Education consists of Office 365 Education, Windows 10 Education, and security and management tools such as Intune for Education and School Data Sync. + +metadata: + title: M365 Education Documentation for IT admins + description: M365 Education consists of Office 365 Education, Windows 10 Education, and security and management tools such as Intune for Education and School Data Sync. + ms.service: help + ms.topic: hub-page + author: v-lamoyn + ms.author: v-lamoyn + ms.date: 10/24/2019 + +productDirectory: + summary: This guide is designed for IT admins looking for the simplest way to move their platform to the cloud. It does not capture all the necessary steps for large scale or complex deployments. Check out at https://edujourney.microsoft.com/. Find help now at https://docs.microsoft.com/en-us/microsoft-365/education/deploy/find-deployment-help. + items: + # Card + - title: Phase 1 - Cloud deployment + imageSrc: ./images/EDU-Deploy.svg + links: + - url: https://docs.microsoft.com/en-us/microsoft-365/education/deploy/create-your-office-365-tenant + text: 1. Create your Office 365 tenant + - url: https://docs.microsoft.com/en-us/microsoft-365/education/deploy/secure-and-configure-your-network + text: 2. Secure and configure your network + - url: https://docs.microsoft.com/en-us/microsoft-365/education/deploy/aad-connect-and-adfs + text: 3. Sync your active directory + - url: https://docs.microsoft.com/en-us/microsoft-365/education/deploy/school-data-sync + text: 4. Sync you SIS using School Data Sync + - url: https://docs.microsoft.com/en-us/microsoft-365/education/deploy/license-users + text: 5. License users + # Card + - title: Phase 2 - Device management + imageSrc: ./images/EDU-Device-Mgmt.svg + links: + - url: https://docs.microsoft.com/en-us/education/windows/ + text: 1. Get started with Windows 10 for Education + - url: https://docs.microsoft.com/en-us/microsoft-365/education/deploy/set-up-windows-10-education-devices + text: 2. Set up Windows 10 devices + - url: https://docs.microsoft.com/en-us/microsoft-365/education/deploy/intune-for-education + text: 3. Get started with Intune for Education + - url: https://docs.microsoft.com/en-us/microsoft-365/education/deploy/use-intune-for-education + text: 4. Use Intune to manage groups, apps, and settings + - url: https://docs.microsoft.com/en-us/intune/enrollment/enrollment-autopilot + text: 5. Enroll devices using Windows Autopilot + # Card + - title: Phase 3 - Apps management + imageSrc: ./images/EDU-Apps-Mgmt.svg + links: + - url: https://docs.microsoft.com/en-us/microsoft-365/education/deploy/configure-admin-settings + text: 1. Configure admin settings + - url: https://docs.microsoft.com/en-us/microsoft-365/education/deploy/set-up-teams-for-education + text: 2. Set up Teams for Education + - url: https://docs.microsoft.com/en-us/microsoft-365/education/deploy/deploy-office-365 + text: 3. Set up Office 365 + - url: https://docs.microsoft.com/en-us/microsoft-365/education/deploy/microsoft-store-for-education + text: 4. Install apps from Microsoft Store for Education + - url: https://docs.microsoft.com/en-us/microsoft-365/education/deploy/minecraft-for-education + text: 5. Install Minecraft - Education Edition + # Card + - title: Complete your deployment + # imageSrc should be square in ratio with no whitespace + imageSrc: ./images/EDU-Tasks.svg + links: + - url: https://docs.microsoft.com/en-us/microsoft-365/education/deploy/deploy-exchange-online + text: Deploy Exchange Online + - url: https://docs.microsoft.com/en-us/microsoft-365/education/deploy/deploy-sharepoint-online-and-onedrive + text: Deploy SharePoint Online and OneDrive + - url: https://docs.microsoft.com/en-us/microsoft-365/education/deploy/deploy-exchange-server-hybrid + text: Deploy Exchange Server hybrid + - url: https://docs.microsoft.com/en-us/microsoft-365/education/deploy/deploy-sharepoint-server-hybrid + text: Deploy SharePoint Server Hybrid + # Card + - title: Security & Compliance + imageSrc: ./images/EDU-Lockbox.svg + links: + - url: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-deployment-checklist-p2 + text: AAD feature deployment guide + - url: https://techcommunity.microsoft.com/t5/Azure-Information-Protection/Azure-Information-Protection-Deployment-Acceleration-Guide/ba-p/334423 + text: Azure information protection deployment acceleration guide + - url: https://docs.microsoft.com/en-us/cloud-app-security/getting-started-with-cloud-app-security + text: Microsoft Cloud app security + - url: https://docs.microsoft.com/en-us/microsoft-365/compliance/create-test-tune-dlp-policy + text: Office 365 data loss prevention + - url: https://docs.microsoft.com/en-us/microsoft-365/compliance/ + text: Office 365 advanced compliance + - url: https://social.technet.microsoft.com/wiki/contents/articles/35748.office-365-what-is-customer-lockbox-and-how-to-enable-it.aspx + text: Deploying Lockbox + # Card + - title: Analytics & Insights + imageSrc: ./images/EDU-Education.svg + links: + - url: https://docs.microsoft.com/en-us/power-bi/service-admin-administering-power-bi-in-your-organization + text: Power BI for IT admins + - url: https://docs.microsoft.com/en-us/dynamics365/#pivot=get-started + text: Dynamics 365 \ No newline at end of file diff --git a/education/partners.yml b/education/partners.yml new file mode 100644 index 0000000000..6dd4d0038a --- /dev/null +++ b/education/partners.yml @@ -0,0 +1,33 @@ +### YamlMime:Hub + +title: M365 Education Documentation for partners +summary: Looking for resources available to Microsoft Education partners? Start here. + +metadata: + title: M365 Education Documentation for partners + description: Looking for resources available to Microsoft Education partners? Start here. + ms.service: help + ms.topic: hub-page + author: v-lamoyn + ms.author: v-lamoyn + ms.date: 10/24/2019 + +additionalContent: + sections: + - items: + # Card + - title: Microsoft Partner Network + summary: Discover the latest news and resources for Microsoft Education products, solutions, licensing and readiness. + url: https://partner.microsoft.com/solutions/education + # Card + - title: Authorized Education Partner (AEP) program + summary: Become authorized to purchase and resell academic priced offers and products to Qualified Educational Users (QEUs). + url: https://www.mepn.com/ + # Card + - title: Authorized Education Partner Directory + summary: Search through the list of Authorized Education Partners worldwide who can deliver on customer licensing requirements, and provide solutions and services to current and future school needs. + url: https://www.mepn.com/MEPN/AEPSearch.aspx + # Card + - title: Education Partner community Yammer group + summary: Sign in with your Microsoft Partner account and join the Education Partner community private group on Yammer. + url: https://www.yammer.com/mepn/ \ No newline at end of file diff --git a/mdop/agpm/whats-new-in-agpm-40-sp3.md b/mdop/agpm/whats-new-in-agpm-40-sp3.md index dbe0512e16..d60031b011 100644 --- a/mdop/agpm/whats-new-in-agpm-40-sp3.md +++ b/mdop/agpm/whats-new-in-agpm-40-sp3.md @@ -189,7 +189,7 @@ The following table describes the behavior of AGPM 4.0 SP3 Client and Server in ## How to Get MDOP Technologies -AGPM 4.0 SP3 is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is part of Microsoft Software Assurance. For more information about Microsoft Software Assurance and acquiring MDOP, see [How Do I Get MDOP](https://go.microsoft.com/fwlink/?LinkId=322049) (https://go.microsoft.com/fwlink/?LinkId=322049). +AGPM 4.0 SP3 is a part of the Microsoft Desktop Optimization Pack (MDOP) since MDOP 2015. MDOP is part of Microsoft Software Assurance. For more information about Microsoft Software Assurance and acquiring MDOP, see [How Do I Get MDOP](https://go.microsoft.com/fwlink/?LinkId=322049) (https://go.microsoft.com/fwlink/?LinkId=322049). ## Related topics diff --git a/smb/docfx.json b/smb/docfx.json index f4e4a7783a..14448aa33c 100644 --- a/smb/docfx.json +++ b/smb/docfx.json @@ -30,9 +30,8 @@ "externalReference": [], "globalMetadata": { "breadcrumb_path": "/windows/smb/breadcrumb/toc.json", - "feedback_system": "GitHub", - "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "feedback_system": "None", + "hideEdit": true, "_op_documentIdPathDepotMapping": { "./": { "depot_name": "TechNet.smb", diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json index 2825ff309d..760a988add 100644 --- a/store-for-business/docfx.json +++ b/store-for-business/docfx.json @@ -40,9 +40,8 @@ "searchScope": [ "Store" ], - "feedback_system": "GitHub", - "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "feedback_system": "None", + "hideEdit": true, "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.store-for-business", diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index ee08c91bcf..6f3c2b6c50 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -36,9 +36,7 @@ "audience": "ITPro", "ms.topic": "article", "ms.author": "elizapo", - "feedback_system": "GitHub", - "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "feedback_system": "None", "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.win-app-management", diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index e1365a820c..c265525536 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -32,7 +32,8 @@ From its release, Windows 10 has supported remote connections to PCs that are jo ## Set up - Both PCs (local and remote) must be running Windows 10, version 1607 (or later). Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported. -- Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC that you are using to connect to the remote PC. +- Your local PC (where you are connecting from) must be either Azure AD joined or Hybrid Azure AD joined. Remote connection to an Azure AD joined PC from an unjoined device or a non-Windows 10 device is not supported. +Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC that you are using to connect to the remote PC. - On the PC that you want to connect to: 1. Open system properties for the remote PC. 2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**. diff --git a/windows/client-management/mdm/images/custom-profile-prevent-device-instance-ids.png b/windows/client-management/mdm/images/custom-profile-prevent-device-instance-ids.png new file mode 100644 index 0000000000..226f4850aa Binary files /dev/null and b/windows/client-management/mdm/images/custom-profile-prevent-device-instance-ids.png differ diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 5a33e8eda5..4ced8ce8ab 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -777,7 +777,7 @@ ADMX Info: -To enable this policy, use the following SyncML. +To enable this policy, use the following SyncML. This example prevents Windows from installing compatible devices with device instance IDs of USB\VID_1F75 and USB\VID_0781. To configure multiple classes, use `` as a delimiter. ``` xml @@ -805,6 +805,25 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i <<< Section end 2018/11/15 12:26:41.751 <<< [Exit status: SUCCESS] ``` + +You can also block installation and usage of prohibited peripherals by using a custom profile in Intune. + +For example, this custom profile prevents installation of devices with matching device instance IDs. + +![Custom profile](images/custom-profile-prevent-device-instance-ids.png) + +To prevent installation of devices with matching device instance IDs by using custom profile in Intune: +1. Locate the device instance ID. +2. Replace `&` in the device instance IDs with `&`. +For example: +Replace +```USBSTOR\DISK&VEN_SAMSUNG&PROD_FLASH_DRIVE&REV_1100\0376319020002347&0``` +with +```USBSTOR\DISK&VEN_SAMSUNG&PROD_FLASH_DRIVE&REV_1100\0376319020002347&0``` + > [!Note] + > Do not use spaces in the value. +3. Replace the device instance IDs with `&` into the sample SyncML. Add the SyncML into the Intune custom device configuration profile. + diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index 9711b4b2a4..70668fa9de 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -38,9 +38,11 @@ The following diagram shows the Reboot configuration service provider management

The supported operation is Get.

**Schedule/Single** -

This node will execute a reboot at a scheduled date and time. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required.
+

This node will execute a reboot at a scheduled date and time. The date and time value is **ISO 8601**, and both the date and time are required.
Example to configure: 2018-10-25T18:00:00

+Setting a null (empty) date will delete the existing schedule. In accordance with the ISO 8601 format, the date and time representation needs to be 0000-00-00T00:00:00. +

The supported operations are Get, Add, Replace, and Delete.

**Schedule/DailyRecurrent** @@ -53,13 +55,3 @@ Example to configure: 2018-10-25T18:00:00

[Configuration service provider reference](configuration-service-provider-reference.md) - - - - - - - - - - diff --git a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md index cb2908dda2..7b4f4424be 100644 --- a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md +++ b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md @@ -25,7 +25,13 @@ manager: dansimp ## Overview -Starting in Windows 10, version 1703, you can import ADMX files (also called ADMX ingestion) and set those ADMX-backed policies for Win32 and Desktop Bridge apps by using Windows 10 Mobile Device Management (MDM) on desktop SKUs. The ADMX files that define policy information can be ingested to your device by using the Policy CSP URI, `./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. The ingested ADMX file is then processed into MDM policies. +Starting in Windows 10, version 1703, you can import ADMX files (also called ADMX ingestion) and set those ADMX-backed policies for Win32 and Desktop Bridge apps by using Windows 10 Mobile Device Management (MDM) on desktop SKUs. The ADMX files that define policy information can be ingested to your device by using the Policy CSP URI, `./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. The ingested ADMX file is then processed into MDM policies. + +NOTE: Starting from the following Windows 10 version Replace command is supported +- Windows 10, version 1903 with KB4512941 and KB4517211 installed +- Windows 10, version 1809 with KB4512534 and KB installed +- Windows 10, version 1803 with KB4512509 and KB installed +- Windows 10, version 1709 with KB4516071 and KB installed When the ADMX policies are imported, the registry keys to which each policy is written are checked so that known system registry keys, or registry keys that are used by existing inbox policies or system components, are not overwritten. This precaution helps to avoid security concerns over opening the entire registry. Currently, the ingested policies are not allowed to write to locations within the **System**, **Software\Microsoft**, and **Software\Policies\Microsoft** keys, except for the following locations: @@ -48,6 +54,8 @@ When the ADMX policies are imported, the registry keys to which each policy is w - software\microsoft\exchange\ - software\policies\microsoft\vba\security\ - software\microsoft\onedrive +- software\Microsoft\Edge +- Software\Microsoft\EdgeUpdate\ > [!Warning] > Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined. diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index af378be469..4986e61b5d 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -35,9 +35,8 @@ "ms.technology": "windows", "audience": "ITPro", "ms.topic": "article", - "feedback_system": "GitHub", - "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "feedback_system": "None", + "hideEdit": true, "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.win-configuration", diff --git a/windows/configure/docfx.json b/windows/configure/docfx.json index 564f47ae8b..3dcf319a94 100644 --- a/windows/configure/docfx.json +++ b/windows/configure/docfx.json @@ -30,6 +30,8 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "feedback_system": "None", + "hideEdit": true, "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.windows-configure" diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md index 9022265138..3534c08c5c 100644 --- a/windows/deployment/update/WIP4Biz-intro.md +++ b/windows/deployment/update/WIP4Biz-intro.md @@ -49,7 +49,7 @@ Windows 10 Insider Preview builds offer organizations a valuable and exciting op |Release channel |**Fast Ring:** Insider Preview builds in the Fast Ring are released approximately once a week and contain the very latest features. This makes them ideal for feature exploration.| |Users | Because Fast Ring builds are released so early in the development cycle, we recommend limiting feature exploration in your organization to IT administrators and developers running Insider Preview builds on secondary devices. | |Tasks | - Install and manage Insider Preview builds on devices (per device or centrally across multiple devices)
- Explore new features in Windows designed for organizations, including new features related to current and planned line of business applications
- Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) for a summary of current features. | -|Feedback | - Provide feedback via [Feedback Hub app](insiderhub://home/). This helps us make adjustments to features as quickly as possible.
- Encourage users to sign into the Feedback Hub using their AAD work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.)
- [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/en-us/how-to-feedback/) | +|Feedback | - Provide feedback via [Feedback Hub app](insiderhub://home/). This helps us make adjustments to features as quickly as possible.
- Encourage users to sign into the Feedback Hub using their AAD work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.)
- [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/how-to-feedback/) | ## Validate Insider Preview builds Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. This activity can play an important role in your [Windows 10 deployment strategy](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business). Early validation has several benefits: diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md index a7386012df..e716dce744 100644 --- a/windows/deployment/update/device-health-get-started.md +++ b/windows/deployment/update/device-health-get-started.md @@ -18,7 +18,7 @@ ms.topic: article # Get started with Device Health >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). This topic explains the steps necessary to configure your environment for Windows Analytics Device Health. @@ -29,7 +29,7 @@ This topic explains the steps necessary to configure your environment for Window - [Related topics](#related-topics) >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). ## Add the Device Health solution to your Azure subscription diff --git a/windows/deployment/update/device-health-monitor.md b/windows/deployment/update/device-health-monitor.md index 49b2c735d9..7274c2a591 100644 --- a/windows/deployment/update/device-health-monitor.md +++ b/windows/deployment/update/device-health-monitor.md @@ -19,7 +19,7 @@ ms.topic: article # Monitor the health of devices with Device Health >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). ## Introduction diff --git a/windows/deployment/update/device-health-using.md b/windows/deployment/update/device-health-using.md index 8ca94aa1a8..2bdfae2338 100644 --- a/windows/deployment/update/device-health-using.md +++ b/windows/deployment/update/device-health-using.md @@ -18,7 +18,7 @@ ms.topic: article # Using Device Health >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). This section describes how to use Device Health to monitor devices deployed on your network and troubleshoot the causes if they crash. diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md index 396ef254fd..adb1e56155 100644 --- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md +++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md @@ -88,6 +88,9 @@ This is the Bring Your Own Device (BYOD) method--your device will receive Olympi - This method will upgrade your Windows 10 Pro license to Enterprise and create a new account. See [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup) for more information. + > [!NOTE] + > Make sure that you save your Pro license key before upgrading to the Enterprise edition. If the device gets disconnected from Olympia, you can use the Pro key to reactivate the license manually in the unlikely event that the license fails to downgrade back to Pro automatically. To reactivate manually, see [Upgrade by manually entering a product key](https://docs.microsoft.com/windows/deployment/upgrade/windows-10-edition-upgrades#upgrade-by-manually-entering-a-product-key). + 1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). ![Settings -> Accounts](images/1-1.png) diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index c1083ce56e..b13b1e355c 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -33,7 +33,7 @@ Servicing stack updates improve the reliability of the update process to mitigat Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical." >[!NOTE] ->You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). +>You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). ## What's the difference between a servicing stack update and a cumulative update? @@ -53,5 +53,5 @@ Typically, the improvements are reliability and performance improvements that do * Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system. * Installing servicing stack update does not require restarting the device, so installation should not be disruptive. * Servicing stack update releases are specific to the operating system version (build number), much like quality updates. -* Search to install latest available [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). +* Search to install latest available [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). * Once a servicing stack update is installed, it cannot be removed or uninstalled from the machine. \ No newline at end of file diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 0413187d35..5e81c8e5a0 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -49,7 +49,7 @@ Update Compliance is offered as a solution which is linked to a new or existing ![Update Compliance solution creation](images/UC_01_marketplace_create.png) 4. Choose an existing workspace or create a new workspace that will be assigned to the Update Compliance solution. - - [Desktop Analytics](https://docs.microsoft.com/en-us/sccm/desktop-analytics/overview) customers are advised to use the same workspace for Update Compliance. + - [Desktop Analytics](https://docs.microsoft.com/sccm/desktop-analytics/overview) customers are advised to use the same workspace for Update Compliance. - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started: - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. - For the resource group setting select **Create new** and use the same name you chose for your new workspace. @@ -89,7 +89,7 @@ Commercial ID can be deployed using Group Policy. The Group Policy for Commercia ![Commercial ID Group Policy location](images/UC_commercialID_GP.png) #### Deploying Commercial ID using MDM -Commercial ID can be deployed through a [Mobile Device Management](https://docs.microsoft.com/en-us/windows/client-management/mdm/) (MDM) policy beginning with Windows 10, version 1607. Commercial ID is under the [DMClient configuration service provider](https://docs.microsoft.com/en-us/windows/client-management/mdm/dmclient-csp). +Commercial ID can be deployed through a [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM) policy beginning with Windows 10, version 1607. Commercial ID is under the [DMClient configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp). ### Ensure endpoints are whitelisted To enable data sharing between devices, your network, and Microsoft's Diagnostic Data Service, configure your proxy to whitelist the following endpoints. You may need security group approval to do this. @@ -105,7 +105,7 @@ To enable data sharing between devices, your network, and Microsoft's Diagnostic | `https://login.live.com` | This endpoint is optional but allows for the Update Compliance service to more reliably identify and process devices. If you want to disable end-user managed service account (MSA) access, you should apply the appropriate [policy](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts#block-all-consumer-microsoft-account-user-authentication) instead of blocking this endpoint. | ### Set diagnostic data levels -Update Compliance requires that devices are configured to send Microsoft at least the Basic level of diagnostic data in order to function. For more information on Windows diagnostic data, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization). +Update Compliance requires that devices are configured to send Microsoft at least the Basic level of diagnostic data in order to function. For more information on Windows diagnostic data, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization). #### Configuring Telemetry level using Group Policy You can set Allow Telemetry through Group Policy, this setting is in the same place as the Commercial ID policy, under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Allow Telemetry**. Update Compliance requires at least Basic (level 1) to function. @@ -113,7 +113,7 @@ You can set Allow Telemetry through Group Policy, this setting is in the same pl ![Allow Telemetry in Group Policy](images/UC_telemetrylevel.png) #### Configuring Telemetry level using MDM -Telemetry level can additionally be configured through a [Mobile Device Management](https://docs.microsoft.com/en-us/windows/client-management/mdm/) (MDM) policy. Allow Telemetry is under the [Policy Configuration Service Provider](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider) as [System/AllowTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-allowtelemetry). +Telemetry level can additionally be configured through a [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM) policy. Allow Telemetry is under the [Policy Configuration Service Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) as [System/AllowTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry). ### Enabling Device Name in telemetry Beginning with Windows 10, version 1803, Device Name is no longer collected as part of normal Windows Diagnostic Data and must explicitly be allowed to be sent to Microsoft. If devices do not have this policy enabled, their device name will appear as '#' instead. @@ -122,7 +122,7 @@ Beginning with Windows 10, version 1803, Device Name is no longer collected as p Allow Device Name in Telemetry is under the same node as Commercial ID and Allow Telemetry policies in Group Policy, listed as **Allow device name to be sent in Windows diagnostic data**. #### Allow Device Name in Telemetry with MDM -Allow Device Name in Telemetry is under the [Policy Configuration Service Provider](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider) as [System/AllowTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-allowtelemetry). +Allow Device Name in Telemetry is under the [Policy Configuration Service Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) as [System/AllowTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry). >[!NOTE] >After enrolling your devices (by deploying your CommercialID and Windows Diagnostic Data settings), it might take 48-72 hours for the first data to appear in the solution. Until then, Update Compliance will indicate it is still assessing devices. \ No newline at end of file diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index e41b2f365b..8996c05986 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -18,7 +18,7 @@ ms.topic: article # Monitor Windows Updates with Update Compliance >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). ## Introduction diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index ab1a485ac8..e7d8d21550 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -132,7 +132,8 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection - 1 = AD Site - 2 = Authenticated domain SID - 3 = DHCP Option ID (with this option, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID) -- 4 = DNS Suffix +- 4 = DNS Suffix +- 5 = Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5. When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-4, the policy is ignored. diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index 96e833ec0a..479877ca3a 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -46,14 +46,14 @@ Windows Update for Business provides management policies for several types of up ## Offering -You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period of time. +You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period. ### Manage which updates are offered Windows Update for Business offers you the ability to turn on or off both driver and Microsoft product updates. - Drivers (on/off): When "on," this policy will not include drivers with Windows Update. -- Microsoft product updates (on/off): When "on" this policy will install udpates for other Microsoft products. +- Microsoft product updates (on/off): When "on" this policy will install updates for other Microsoft products. ### Manage when updates are offered @@ -90,11 +90,19 @@ The branch readiness level enables administrators to specify which channel of fe Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days will be calculated against a release’s Semi-annual Channel release date. To see release dates, visit [Windows Release Information](https://docs.microsoft.com/windows/release-information/). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. In order to use this to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy. +### Recommendations + +For the best experience with Windows Update, follow these guidelines: + +- Use devices for at least 6 hours per month, including at least 2 hours of continuous use. +- Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours. +- Make sure that devices have at least 10 GB of free space. +- Give devices unobstructed access to the Windows Update service. ## Monitor Windows Updates by using Update Compliance -Update Compliance provides a holistic view of operating system update compliance, update deployment progress, and failure troubleshooting for Windows 10 devices. This service uses diagnostic data including installation progress, Windows Update configuration, and other information to provide such insights, at no extra cost and without additional infrastructure requirements. Whether used with Windows Update for Business or other management tools, you can be assured that your devices are properly updated. +Update Compliance provides a holistic view of operating system update compliance, update deployment progress, and failure troubleshooting for Windows 10 devices. This service uses diagnostic data including installation progress, Windows Update configuration, and other information to provide such insights, at no extra cost and without extra infrastructure requirements. Whether used with Windows Update for Business or other management tools, you can be assured that your devices are properly updated. ![Update Compliance Dashboard](images/waas-wufb-update-compliance.png) diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md index ecc49de5af..cbfbcdff46 100644 --- a/windows/deployment/update/waas-morenews.md +++ b/windows/deployment/update/waas-morenews.md @@ -7,7 +7,6 @@ audience: itpro itproauthor: jaimeo author: jaimeo ms.author: jaimeo -ms.date: 12/19/2018 ms.reviewer: manager: laurawi ms.localizationpriority: high @@ -18,6 +17,12 @@ ms.topic: article Here's more news about [Windows as a service](windows-as-a-service.md):
    +
  • Windows 10 Enterprise vs. Windows 10 Pro: Modern management considerations for your organization - June 25, 2019
    • +
  • Updating Windows 10, version 1903 using Configuration Manager or WSUS - May 23, 2019
    • +
  • What’s new in Windows Update for Business in Windows 10, version 1903 - May 21, 2019
    • +
  • What’s new for IT pros in Windows 10, version 1903 - May 21, 2019
    • +
  • How to get the Windows 10 May 2019 Update - May 21, 2019
    • +
  • The benefits of Windows 10 Dynamic Update - April 17, 2019
  • Improving the Windows 10 update experience with control, quality and transparency - April 4, 2019
  • Call to action: review your Windows Update for Business deferral values - April 3, 2019
  • Windows 10, version 1809 designated for broad deployment - March 28, 2019
    • diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md index 453488ddf0..2f891c98c0 100644 --- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md @@ -57,14 +57,14 @@ The Semi-Annual Channel is the default servicing channel for all Windows 10 devi 1. Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options**. 2. Select **Defer feature updates**. -**To assign devicess to the Semi-Annual Channel by using Group Policy** +**To assign devices to the Semi-Annual Channel by using Group Policy** - In Windows 10, version 1607 and later releases: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** - enable policy and set branch readiness level to the Semi-Annual Channel -**To assign devicess to to the Semi-Annual Channel by using MDM** +**To assign devices to to the Semi-Annual Channel by using MDM** - In Windows 10, version 1607 and later releases: @@ -82,8 +82,8 @@ The Semi-Annual Channel is the default servicing channel for all Windows 10 devi To get started with the Windows Insider Program for Business, you will need to follow a few simple steps: -1. On the [Windows Insider](https://insider.windows.com) website, go to **For Business > Getting Started** to [register your organizational Azure AD account](https://insider.windows.com/en-us/insidersigninaad/). -2. **Register your domain**. Rather than have each user register individually for Insider Preview builds, administrators can simply [register their domain](https://insider.windows.com/en-us/for-business-organization-admin/) and control settings centrally.
    **Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain. +1. On the [Windows Insider](https://insider.windows.com) website, go to **For Business > Getting Started** to [register your organizational Azure AD account](https://insider.windows.com/insidersigninaad/). +2. **Register your domain**. Rather than have each user register individually for Insider Preview builds, administrators can simply [register their domain](https://insider.windows.com/for-business-organization-admin/) and control settings centrally.
    **Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain. 3. Make sure the **Allow Telemetry** setting is set to **2** or higher. 4. Starting with Windows 10, version 1709, set policies to manage preview builds and their delivery: diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md index 4f04e51290..5898646433 100644 --- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md +++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md @@ -19,7 +19,7 @@ ms.topic: article # Frequently asked questions and troubleshooting Windows Analytics >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). >[!IMPORTANT] >**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition). diff --git a/windows/deployment/update/windows-analytics-azure-portal.md b/windows/deployment/update/windows-analytics-azure-portal.md index 610deb2695..5b1310a627 100644 --- a/windows/deployment/update/windows-analytics-azure-portal.md +++ b/windows/deployment/update/windows-analytics-azure-portal.md @@ -19,7 +19,7 @@ ms.topic: article # Windows Analytics in the Azure Portal >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). Windows Analytics uses Azure Log Analytics workspaces (formerly known as Operations Management Suite or OMS), a collection of cloud-based services for monitoring and automating your on-premises and cloud environments. diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md index 8b3ebe0b50..18a4d35cd9 100644 --- a/windows/deployment/update/windows-analytics-get-started.md +++ b/windows/deployment/update/windows-analytics-get-started.md @@ -17,7 +17,7 @@ ms.topic: article # Enrolling devices in Windows Analytics >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). If you have not already done so, consult the topics for any of the three Windows Analytics solutions (Update Compliance, Upgrade Readiness, and Device Health) you intend to use and follow the steps there to add the solutions to Azure Portal. @@ -101,8 +101,8 @@ The compatibility update scans your devices and enables application usage tracki | **Operating System** | **Updates** | |----------------------|-----------------------------------------------------------------------------| | Windows 10 | Windows 10 includes the compatibility update, so you will automatically have the latest compatibility update so long as you continue to keep your Windows 10 devices up to date with cumulative updates. | -| Windows 8.1 | The compatibility update is included in monthly quality updates for Windows 8.1. We recommend installing the latest [Windows Monthly Rollup](http://www.catalog.update.microsoft.com/Search.aspx?q=security%20monthly%20quality%20rollup%20for%20windows%208) before attempting to enroll devices into Windows Analytics. | -| Windows 7 SP1 | The compatibility update is included in monthly quality updates for Windows 7. We recommend installing the latest [Windows Monthly Rollup](http://www.catalog.update.microsoft.com/Search.aspx?q=security%20monthly%20quality%20rollup%20for%20windows%207) before attempting to enroll devices into Windows Analytics. | +| Windows 8.1 | The compatibility update is included in monthly quality updates for Windows 8.1. We recommend installing the latest [Windows Monthly Rollup](https://www.catalog.update.microsoft.com/Search.aspx?q=security%20monthly%20quality%20rollup%20for%20windows%208) before attempting to enroll devices into Windows Analytics. | +| Windows 7 SP1 | The compatibility update is included in monthly quality updates for Windows 7. We recommend installing the latest [Windows Monthly Rollup](https://www.catalog.update.microsoft.com/Search.aspx?q=security%20monthly%20quality%20rollup%20for%20windows%207) before attempting to enroll devices into Windows Analytics. | ### Connected User Experiences and Telemetry service diff --git a/windows/deployment/update/windows-analytics-overview.md b/windows/deployment/update/windows-analytics-overview.md index 43531d972c..5d63af3e36 100644 --- a/windows/deployment/update/windows-analytics-overview.md +++ b/windows/deployment/update/windows-analytics-overview.md @@ -21,7 +21,7 @@ ms.topic: article Windows Analytics is a set of solutions for Azure Portal that provide you with extensive data about the state of devices in your deployment. There are currently three solutions which you can use singly or in any combination: >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). ## Device Health diff --git a/windows/deployment/update/windows-analytics-privacy.md b/windows/deployment/update/windows-analytics-privacy.md index f0b2a4f3af..fcfe1d41f9 100644 --- a/windows/deployment/update/windows-analytics-privacy.md +++ b/windows/deployment/update/windows-analytics-privacy.md @@ -19,7 +19,7 @@ ms.topic: article # Windows Analytics and privacy >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). Windows Analytics is fully committed to privacy, centering on these tenets: diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md index 91ff545345..3acd3f759a 100644 --- a/windows/deployment/update/windows-as-a-service.md +++ b/windows/deployment/update/windows-as-a-service.md @@ -29,13 +29,16 @@ Everyone wins when transparency is a top priority. We want you to know when upda The latest news: [See more news](waas-morenews.md). You can also check out the [Windows 10 blog](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog). diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md index dc7f8eaa52..044398b870 100644 --- a/windows/deployment/update/windows-update-error-reference.md +++ b/windows/deployment/update/windows-update-error-reference.md @@ -137,7 +137,7 @@ The following errors map to `SOAP_ERROR_CODE`s from the `Atlsoap.h` file. These | 0x8024401E | `WU_E_PT_HTTP_STATUS_GONE` | Same as HTTP status 410 - requested resource is no longer available at the server. | | 0x8024401F | `WU_E_PT_HTTP_STATUS_SERVER_ERROR` | Same as HTTP status 500 - an error internal to the server prevented fulfilling the request. | | 0x80244020 | `WU_E_PT_HTTP_STATUS_NOT_SUPPORTED` | Same as HTTP status 500 - server does not support the functionality required to fulfill the request. | -| 0x80244021 | `WU_E_PT_HTTP_STATUS_BAD_GATEWAY` | Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfil the request. | +| 0x80244021 | `WU_E_PT_HTTP_STATUS_BAD_GATEWAY` | Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfill the request. | | 0x80244022 | `WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL` | Same as HTTP status 503 - the service is temporarily overloaded. | | 0x80244023 | `WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT` | Same as HTTP status 503 - the request was timed out waiting for a gateway. | | 0x80244024 | `WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP` | Same as HTTP status 505 - the server does not support the HTTP protocol version used for the request. | diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md index a1784e6a6e..7fd5fb5a6e 100644 --- a/windows/deployment/update/windows-update-troubleshooting.md +++ b/windows/deployment/update/windows-update-troubleshooting.md @@ -48,7 +48,7 @@ The update that is offered to a device depends on several factors. Some of the m If the update you're offered isn't the most current available, it might be because your device is being managed by a WSUS server, and you're being offered the updates available on that server. It's also possible, if your device is part of a Windows as a Service deployment ring, that your admin is intentionally slowing the rollout of updates. Since the WaaS rollout is slow and measured to begin with, all devices will not receive the update on the same day. -## My machine is frozen at scan. Why? +## My device is frozen at scan. Why? The Settings UI is talking to the Update Orchestrator service which in turn is talking to Windows Update service. If these services stop unexpectedly then you might see this behavior. In such cases, do the following: 1. Close the Settings app and reopen it. 2. Launch Services.msc and check if the following services are running: @@ -145,7 +145,23 @@ Go to Services.msc and ensure that Windows Firewall Service is enabled. Stopping Windows Update provides a wide range configuration policies to control the behavior of WU service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting polices may lead to unexpected behaviors. See [How to configure automatic updates by using Group Policy or registry settings](https://support.microsoft.com/help/328010/how-to-configure-automatic-updates-by-using-group-policy-or-registry-s) for more information. + +## Device cannot access update files +Check that your device can access these Windows Update endpoints: + +- http://windowsupdate.microsoft.com +- http://*.windowsupdate.microsoft.com +- https://*.windowsupdate.microsoft.com +- http://*.update.microsoft.com +- https://*.update.microsoft.com +- http://*.windowsupdate.com +- http://download.windowsupdate.com +- https://download.microsoft.com +- http://*.download.windowsupdate.com +- http://wustat.windows.com +- http://ntservicepack.microsoft.com + Whitelist these endpoints for future use. ## Updates aren't downloading from the intranet endpoint (WSUS/SCCM) Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps: diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md index 0214e53ad8..ddb3d63a10 100644 --- a/windows/deployment/upgrade/log-files.md +++ b/windows/deployment/upgrade/log-files.md @@ -9,7 +9,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy -audience: itpro author: greg-lindsay +audience: itpro +author: greg-lindsay ms.localizationpriority: medium ms.topic: article --- @@ -159,6 +160,93 @@ Therefore, Windows Setup failed because it was not able to migrate the corrupt f 27:08, Error SP SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C +
    setupapi.dev.log content: + +
    +>>>  [Device Install (UpdateDriverForPlugAndPlayDevices) - PCI\VEN_8086&DEV_8C4F]
+>>>  Section start 2019/09/26 20:13:01.623
+      cmd: rundll32.exe "C:\WINDOWS\Installer\MSI6E4C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_95972906 484 ChipsetWiX.CustomAction!Intel.Deployment.ChipsetWiX.CustomActions.InstallDrivers
+     ndv: INF path: C:\WINDOWS\TEMP\{15B1CD41-69F5-48EA-9F45-0560A40FE2D8}\Drivers\lynxpoint\LynxPointSystem.inf
+     ndv: Install flags: 0x00000000
+     ndv: {Update Device Driver - PCI\VEN_8086&DEV_8C4F&SUBSYS_05BE1028&REV_04\3&11583659&0&F8}
+     ndv:      Search options: 0x00000081
+     ndv:      Searching single INF 'C:\WINDOWS\TEMP\{15B1CD41-69F5-48EA-9F45-0560A40FE2D8}\Drivers\lynxpoint\LynxPointSystem.inf'
+     dvi:      {Build Driver List} 20:13:01.643
+     dvi:           Searching for hardware ID(s):
+     dvi:                pci\ven_8086&dev_8c4f&subsys_05be1028&rev_04
+     dvi:                pci\ven_8086&dev_8c4f&subsys_05be1028
+     dvi:                pci\ven_8086&dev_8c4f&cc_060100
+     dvi:                pci\ven_8086&dev_8c4f&cc_0601
+     dvi:           Searching for compatible ID(s):
+     dvi:                pci\ven_8086&dev_8c4f&rev_04
+     dvi:                pci\ven_8086&dev_8c4f
+     dvi:                pci\ven_8086&cc_060100
+     dvi:                pci\ven_8086&cc_0601
+     dvi:                pci\ven_8086
+     dvi:                pci\cc_060100
+     dvi:                pci\cc_0601
+     sig:           {_VERIFY_FILE_SIGNATURE} 20:13:01.667
+     sig:                Key      = lynxpointsystem.inf
+     sig:                FilePath = c:\windows\temp\{15b1cd41-69f5-48ea-9f45-0560a40fe2d8}\drivers\lynxpoint\lynxpointsystem.inf
+     sig:                Catalog  = c:\windows\temp\{15b1cd41-69f5-48ea-9f45-0560a40fe2d8}\drivers\lynxpoint\LynxPoint.cat
+     sig:                Success: File is signed in catalog.
+     sig:           {_VERIFY_FILE_SIGNATURE exit(0x00000000)} 20:13:01.683
+     dvi:           Created Driver Node:
+     dvi:                HardwareID   - PCI\VEN_8086&DEV_8C4F
+     dvi:                InfName      - c:\windows\temp\{15b1cd41-69f5-48ea-9f45-0560a40fe2d8}\drivers\lynxpoint\lynxpointsystem.inf
+     dvi:                DevDesc      - Intel(R) QM87 LPC Controller - 8C4F
+     dvi:                Section      - Needs_ISAPNP_DRV
+     dvi:                Rank         - 0x00ff2001
+     dvi:                Signer Score - WHQL
+     dvi:                DrvDate      - 04/04/2016
+     dvi:                Version      - 10.1.1.18
+     dvi:      {Build Driver List - exit(0x00000000)} 20:13:01.699
+     ndv:      Searching currently installed INF
+     dvi:      {Build Driver List} 20:13:01.699
+     dvi:           Searching for hardware ID(s):
+     dvi:                pci\ven_8086&dev_8c4f&subsys_05be1028&rev_04
+     dvi:                pci\ven_8086&dev_8c4f&subsys_05be1028
+     dvi:                pci\ven_8086&dev_8c4f&cc_060100
+     dvi:                pci\ven_8086&dev_8c4f&cc_0601
+     dvi:           Searching for compatible ID(s):
+     dvi:                pci\ven_8086&dev_8c4f&rev_04
+     dvi:                pci\ven_8086&dev_8c4f
+     dvi:                pci\ven_8086&cc_060100
+     dvi:                pci\ven_8086&cc_0601
+     dvi:                pci\ven_8086
+     dvi:                pci\cc_060100
+     dvi:                pci\cc_0601
+     dvi:           Created Driver Node:
+     dvi:                HardwareID   - PCI\VEN_8086&DEV_8C4F
+     dvi:                InfName      - C:\WINDOWS\System32\DriverStore\FileRepository\lynxpointsystem.inf_amd64_cd1e518d883ecdfe\lynxpointsystem.inf
+     dvi:                DevDesc      - Intel(R) QM87 LPC Controller - 8C4F
+     dvi:                Section      - Needs_ISAPNP_DRV
+     dvi:                Rank         - 0x00ff2001
+     dvi:                Signer Score - WHQL
+     dvi:                DrvDate      - 10/03/2016
+     dvi:                Version      - 10.1.1.38
+     dvi:      {Build Driver List - exit(0x00000000)} 20:13:01.731
+     dvi:      {DIF_SELECTBESTCOMPATDRV} 20:13:01.731
+     dvi:           Default installer: Enter 20:13:01.735
+     dvi:                {Select Best Driver}
+     dvi:                     Class GUID of device changed to: {4d36e97d-e325-11ce-bfc1-08002be10318}.
+     dvi:                     Selected Driver:
+     dvi:                          Description - Intel(R) QM87 LPC Controller - 8C4F
+     dvi:                          InfFile     - c:\windows\system32\driverstore\filerepository\lynxpointsystem.inf_amd64_cd1e518d883ecdfe\lynxpointsystem.inf
+     dvi:                          Section     - Needs_ISAPNP_DRV
+     dvi:                {Select Best Driver - exit(0x00000000)}
+     dvi:           Default installer: Exit
+     dvi:      {DIF_SELECTBESTCOMPATDRV - exit(0x00000000)} 20:13:01.743
+     ndv:      Currently Installed Driver:
+     ndv:           Inf Name       - oem1.inf
+     ndv:           Driver Date    - 10/03/2016
+     ndv:           Driver Version - 10.1.1.38
+     ndv: {Update Device Driver - exit(00000103)}
+!    ndv: No better matching drivers found for device 'PCI\VEN_8086&DEV_8C4F&SUBSYS_05BE1028&REV_04\3&11583659&0&F8'.
+!    ndv: No devices were updated.
+<<<  Section end 2019/09/26 20:13:01.759
+<<<  [Exit status: FAILURE(0xC1900101)]
+

    This analysis indicates that the Windows upgrade error can be resolved by deleting the C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN] file. Note: In this example, the full, unshortened file name is C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\be8228fb2d3cb6c6b0ccd9ad51b320b4_a43d512c-69f2-42de-aef9-7a88fabdaa3f. diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md index 15c4156866..f3f38c5db9 100644 --- a/windows/deployment/upgrade/resolution-procedures.md +++ b/windows/deployment/upgrade/resolution-procedures.md @@ -9,7 +9,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy -audience: itpro author: greg-lindsay +audience: itpro +author: greg-lindsay ms.localizationpriority: medium ms.topic: article --- @@ -294,7 +295,7 @@ This error has more than one possible cause. Attempt [quick fixes](quick-fixes.m 0x80073BC3 - 0x20009
    -0x8007002 - 0x20009
    +0x80070002 - 0x20009
    0x80073B92 - 0x20009 @@ -698,12 +699,12 @@ Also see the following sequential list of modern setup (mosetup) error codes wit | 0XC1900105 | MOSETUP_E_TEST_MODE | The installation process is being used in a test environment. | | 0XC1900106 | MOSETUP_E_TERMINATE_PROCESS | The installation process was terminated. | | 0XC1900107 | MOSETUP_E_CLEANUP_PENDING | A cleanup operation from a previous installation attempt is still pending. A system reboot is required. | -| 0XC1900108 | MOSETUP_E_REPORTING | An error has occured and the result value must be consolidated for telemetry purposes. | +| 0XC1900108 | MOSETUP_E_REPORTING | An error has occurred and the result value must be consolidated for telemetry purposes. | | 0XC1900109 | MOSETUP_E_COMPAT_TERMINATE | The installation process was terminated during the actionable compatibility phase. | -| 0XC190010a | MOSETUP_E_UNKNOWN_CMD_LINE | The installation process was launched with an unknown command line argument. | +| 0XC190010a | MOSETUP_E_UNKNOWN_CMD_LINE | The installation process was launched with an unknown command-line argument. | | 0XC190010b | MOSETUP_E_INSTALL_IMAGE_NOT_FOUND | The installation image was not found. | | 0XC190010c | MOSETUP_E_AUTOMATION_INVALID | The provided automation information was invalid. | -| 0XC190010d | MOSETUP_E_INVALID_CMD_LINE | The installation process was launched with an invalid command line argument. | +| 0XC190010d | MOSETUP_E_INVALID_CMD_LINE | The installation process was launched with an invalid command-line argument. | | 0XC190010e | MOSETUP_E_EULA_ACCEPT_REQUIRED | The installation process requires that the user accept the license agreement. | | 0XC1900110 | MOSETUP_E_EULA_CANCEL | The user has chosen to cancel for license agreement. | | 0XC1900111 | MOSETUP_E_ADVERTISE_CANCEL | The user has chosen to cancel for advertisement. | diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md index c9509188a3..e06f80e04b 100644 --- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md +++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md @@ -1,97 +1,98 @@ ---- -title: Troubleshoot Windows 10 upgrade errors - Windows IT Pro -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# Troubleshooting upgrade errors - -**Applies to** -- Windows 10 - ->[!NOTE] ->This is a 300 level topic (moderately advanced).
    ->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. - -If a Windows 10 upgrade is not successful, it can be very helpful to understand *when* an error occurred in the upgrade process. - -Briefly, the upgrade process consists of four phases: **Downlevel**, **SafeOS**, **First boot**, and **Second boot**. The computer will reboot once between each phase. Note: Progress is tracked in the registry during the upgrade process using the following key: **HKLM\System\Setup\mosetup\volatile\SetupProgress**. This key is volatile and only present during the upgrade process; it contains a binary value in the range 0-100. - -These phases are explained in greater detail [below](#the-windows-10-upgrade-process). First, let's summarize the actions performed during each phase because this affects the type of errors that can be encountered. - -1. **Downlevel phase**: Because this phase runs on the source OS, upgrade errors are not typically seen. If you do encounter an error, ensure the source OS is stable. Also ensure the Windows setup source and the destination drive are accessible. - -2. **SafeOS phase**: Errors most commonly occur during this phase due to hardware issues, firmware issues, or non-microsoft disk encryption software. - - Since the computer is booted into Windows PE during the SafeOS phase, a useful troubleshooting technique is to boot into [Windows PE](https://docs.microsoft.com/windows-hardware/manufacture/desktop/winpe-intro) using installation media. You can use the [media creation tool](https://www.microsoft.com/software-download/windows10) to create bootable media, or you can use tools such as the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit), and then boot your device from this media to test for hardware and firmware compatibility issues. - - >[!TIP] - >If you attempt to use the media creation tool with a USB drive and this fails with error 0x80004005 - 0xa001a, this is because the USB drive is using GPT partition style. The tool requires that you use MBR partition style. You can use the DISKPART command to convert the USB drive from GPT to MBR. For more information, see [Change a GUID Partition Table Disk into a Master Boot Record Disk](https://go.microsoft.com/fwlink/?LinkId=207050). - - **Do not proceed with the Windows 10 installation after booting from this media**. This method can only be used to perform a clean install which will not migrate any of your apps and settings, and you will be required re-enter your Windows 10 license information. - - If the computer does not successfully boot into Windows PE using the media that you created, this is likely due to a hardware or firmware issue. Check with your hardware manufacturer and apply any recommended BIOS and firmware updates. If you are still unable to boot to installation media after applying updates, disconnect or replace legacy hardware. - - If the computer successfully boots into Windows PE, but you are not able to browse the system drive on the computer, it is possible that non-Microsoft disk encryption software is blocking your ability to perform a Windows 10 upgrade. Update or temporarily remove the disk encryption. - -3. **First boot phase**: Boot failures in this phase are relatively rare, and almost exclusively caused by device drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, then retry the upgrade. - -4. **Second boot phase**: In this phase, the system is running under the target OS with new drivers. Boot failures are most commonly due to anti-virus software or filter drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, temporarily uninstall anti-virus software, then retry the upgrade. - -If the general troubleshooting techniques described above or the [quick fixes](quick-fixes.md) detailed below do not resolve your issue, you can attempt to analyze [log files](log-files.md) and interpret [upgrade error codes](upgrade-error-codes.md). You can also [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md) so that Microsoft can diagnose your issue. - -## The Windows 10 upgrade process - -The **Windows Setup** application is used to upgrade a computer to Windows 10, or to perform a clean installation. Windows Setup starts and restarts the computer, gathers information, copies files, and creates or adjusts configuration settings. - -When performing an operating system upgrade, Windows Setup uses phases described below. A reboot occurs between each of the phases. After the first reboot, the user interface will remain the same until the upgrade is completed. Percent progress is displayed and will advance as you move through each phase, reaching 100% at the end of the second boot phase. - -1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Windows files are copied and installation components are gathered. - - ![downlevel phase](../images/downlevel.png) - -2. **Safe OS phase**: A recovery partition is configured, Windows files are expanded, and updates are installed. An OS rollback is prepared if needed. Example error codes: 0x2000C, 0x20017. - - ![safeOS phase](../images/safeos.png) - -3. **First boot phase**: Initial settings are applied. Example error codes: 0x30018, 0x3000D. - - ![first boot phase](../images/firstboot.png) - -4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**. Example error codes: 0x4000D, 0x40017. - - At the end of the second boot phase, the **Welcome to Windows 10** screen is displayed, preferences are configured, and the Windows 10 sign-in prompt is displayed. - - ![second boot phase](../images/secondboot.png) - - ![second boot phase](../images/secondboot2.png) - - ![second boot phase](../images/secondboot3.png) - -5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful (image not shown). Example error codes: 0x50000, 0x50015. - -**Figure 1**: Phases of a successful Windows 10 upgrade (uninstall is not shown): - -![Upgrade process](../images/upgrade-process.png) - -DU = Driver/device updates.
    -OOBE = Out of box experience.
    -WIM = Windows image (Microsoft) - -## Related topics - -[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) -
    [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -
    [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications) -
    [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) -
    [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) +--- +title: Troubleshoot Windows 10 upgrade errors - Windows IT Pro +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. +keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro +author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# Troubleshooting upgrade errors + +**Applies to** +- Windows 10 + +>[!NOTE] +>This is a 300 level topic (moderately advanced).
    +>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. + +If a Windows 10 upgrade is not successful, it can be very helpful to understand *when* an error occurred in the upgrade process. + +Briefly, the upgrade process consists of four phases: **Downlevel**, **SafeOS**, **First boot**, and **Second boot**. The computer will reboot once between each phase. Note: Progress is tracked in the registry during the upgrade process using the following key: **HKLM\System\Setup\mosetup\volatile\SetupProgress**. This key is volatile and only present during the upgrade process; it contains a binary value in the range 0-100. + +These phases are explained in greater detail [below](#the-windows-10-upgrade-process). First, let's summarize the actions performed during each phase because this affects the type of errors that can be encountered. + +1. **Downlevel phase**: Because this phase runs on the source OS, upgrade errors are not typically seen. If you do encounter an error, ensure the source OS is stable. Also ensure the Windows setup source and the destination drive are accessible. + +2. **SafeOS phase**: Errors most commonly occur during this phase due to hardware issues, firmware issues, or non-microsoft disk encryption software. + + Since the computer is booted into Windows PE during the SafeOS phase, a useful troubleshooting technique is to boot into [Windows PE](https://docs.microsoft.com/windows-hardware/manufacture/desktop/winpe-intro) using installation media. You can use the [media creation tool](https://www.microsoft.com/software-download/windows10) to create bootable media, or you can use tools such as the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit), and then boot your device from this media to test for hardware and firmware compatibility issues. + + >[!TIP] + >If you attempt to use the media creation tool with a USB drive and this fails with error 0x80004005 - 0xa001a, this is because the USB drive is using GPT partition style. The tool requires that you use MBR partition style. You can use the DISKPART command to convert the USB drive from GPT to MBR. For more information, see [Change a GUID Partition Table Disk into a Master Boot Record Disk](https://go.microsoft.com/fwlink/?LinkId=207050). + + **Do not proceed with the Windows 10 installation after booting from this media**. This method can only be used to perform a clean install which will not migrate any of your apps and settings, and you will be required re-enter your Windows 10 license information. + + If the computer does not successfully boot into Windows PE using the media that you created, this is likely due to a hardware or firmware issue. Check with your hardware manufacturer and apply any recommended BIOS and firmware updates. If you are still unable to boot to installation media after applying updates, disconnect or replace legacy hardware. + + If the computer successfully boots into Windows PE, but you are not able to browse the system drive on the computer, it is possible that non-Microsoft disk encryption software is blocking your ability to perform a Windows 10 upgrade. Update or temporarily remove the disk encryption. + +3. **First boot phase**: Boot failures in this phase are relatively rare, and almost exclusively caused by device drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, then retry the upgrade. + +4. **Second boot phase**: In this phase, the system is running under the target OS with new drivers. Boot failures are most commonly due to anti-virus software or filter drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, temporarily uninstall anti-virus software, then retry the upgrade. + +If the general troubleshooting techniques described above or the [quick fixes](quick-fixes.md) detailed below do not resolve your issue, you can attempt to analyze [log files](log-files.md) and interpret [upgrade error codes](upgrade-error-codes.md). You can also [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md) so that Microsoft can diagnose your issue. + +## The Windows 10 upgrade process + +The **Windows Setup** application is used to upgrade a computer to Windows 10, or to perform a clean installation. Windows Setup starts and restarts the computer, gathers information, copies files, and creates or adjusts configuration settings. + +When performing an operating system upgrade, Windows Setup uses phases described below. A reboot occurs between each of the phases. After the first reboot, the user interface will remain the same until the upgrade is completed. Percent progress is displayed and will advance as you move through each phase, reaching 100% at the end of the second boot phase. + +1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Windows files are copied and installation components are gathered. + + ![downlevel phase](../images/downlevel.png) + +2. **Safe OS phase**: A recovery partition is configured, Windows files are expanded, and updates are installed. An OS rollback is prepared if needed. Example error codes: 0x2000C, 0x20017. + + ![safeOS phase](../images/safeos.png) + +3. **First boot phase**: Initial settings are applied. Example error codes: 0x30018, 0x3000D. + + ![first boot phase](../images/firstboot.png) + +4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**. Example error codes: 0x4000D, 0x40017. + + At the end of the second boot phase, the **Welcome to Windows 10** screen is displayed, preferences are configured, and the Windows 10 sign-in prompt is displayed. + + ![second boot phase](../images/secondboot.png) + + ![second boot phase](../images/secondboot2.png) + + ![second boot phase](../images/secondboot3.png) + +5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful (image not shown). Example error codes: 0x50000, 0x50015. + +**Figure 1**: Phases of a successful Windows 10 upgrade (uninstall is not shown): + +![Upgrade process](../images/upgrade-process.png) + +DU = Driver/device updates.
    +OOBE = Out of box experience.
    +WIM = Windows image (Microsoft) + +## Related topics + +[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) +
    [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) +
    [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-/ifications) +
    [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) +
    [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) diff --git a/windows/deployment/upgrade/upgrade-error-codes.md b/windows/deployment/upgrade/upgrade-error-codes.md index 0dd0d042c6..7f4624ce3a 100644 --- a/windows/deployment/upgrade/upgrade-error-codes.md +++ b/windows/deployment/upgrade/upgrade-error-codes.md @@ -1,159 +1,160 @@ ---- -title: Upgrade error codes - Windows IT Pro -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# Upgrade error codes - -**Applies to** -- Windows 10 - ->[!NOTE] ->This is a 400 level topic (advanced).
    ->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. - - -If the upgrade process is not successful, Windows Setup will return two codes: - -1. **A result code**: The result code corresponds to a specific Win32 or NTSTATUS error. -2. **An extend code**: The extend code contains information about both the *phase* in which an error occurred, and the *operation* that was being performed when the error occurred. - ->For example, a result code of **0xC1900101** with an extend code of **0x4000D** will be returned as: **0xC1900101 - 0x4000D**. - -Note: If only a result code is returned, this can be because a tool is being used that was not able to capture the extend code. For example, if you are using the [Windows 10 Upgrade Assistant](https://support.microsoft.com/kb/3159635) then only a result code might be returned. - ->[!TIP] ->If you are unable to locate the result and extend error codes, you can attempt to find these codes using Event Viewer. For more information, see [Windows Error Reporting](windows-error-reporting.md). - -## Result codes - ->A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue.
    To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](resolution-procedures.md) section later in this article. - -The following set of result codes are associated with [Windows Setup](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options) compatibility warnings: - -| Result code | Message | Description | -| --- | --- | --- | -| 0xC1900210 | MOSETUP_E_COMPAT_SCANONLY | Setup did not find any compat issue | -| 0xC1900208 | MOSETUP_E_COMPAT_INSTALLREQ_BLOCK | Setup found an actionable compat issue, such as an incompatible app | -| 0xC1900204 | MOSETUP_E_COMPAT_MIGCHOICE_BLOCK | The migration choice selected is not available (ex: Enterprise to Home) | -| 0xC1900200 | MOSETUP_E_COMPAT_SYSREQ_BLOCK | The computer is not eligible for Windows 10 | -| 0xC190020E | MOSETUP_E_INSTALLDISKSPACE_BLOCK | The computer does not have enough free space to install | - -A list of modern setup (mosetup) errors with descriptions in the range is available in the [Resolution procedures](resolution-procedures.md#modern-setup-errors) topic in this article. - -Other result codes can be matched to the specific type of error encountered. To match a result code to an error: - -1. Identify the error code type as either Win32 or NTSTATUS using the first hexadecimal digit: -
    **8** = Win32 error code (ex: 0x**8**0070070) -
    **C** = NTSTATUS value (ex: 0x**C**1900107) -2. Write down the last 4 digits of the error code (ex: 0x8007**0070** = 0070). These digits are the actual error code type as defined in the [HRESULT](https://msdn.microsoft.com/library/cc231198.aspx) or the [NTSTATUS](https://msdn.microsoft.com/library/cc231200.aspx) structure. Other digits in the code identify things such as the device type that produced the error. -3. Based on the type of error code determined in the first step (Win32 or NTSTATUS), match the 4 digits derived from the second step to either a Win32 error code or NTSTATUS value using the following links: - - [Win32 error code](https://msdn.microsoft.com/library/cc231199.aspx) - - [NTSTATUS value](https://msdn.microsoft.com/library/cc704588.aspx) - -Examples: -- 0x80070070 - - Based on the "8" this is a Win32 error code - - The last four digits are 0070, so look up 0x00000070 in the [Win32 error code](https://msdn.microsoft.com/library/cc231199.aspx) table - - The error is: **ERROR_DISK_FULL** -- 0xC1900107 - - Based on the "C" this is an NTSTATUS error code - - The last four digits are 0107, so look up 0x00000107 in the [NTSTATUS value](https://msdn.microsoft.com/library/cc704588.aspx) table - - The error is: **STATUS_SOME_NOT_MAPPED** - -Some result codes are self-explanatory, whereas others are more generic and require further analysis. In the examples shown above, ERROR_DISK_FULL indicates that the hard drive is full and additional room is needed to complete Windows upgrade. The message STATUS_SOME_NOT_MAPPED is more ambiguous, and means that an action is pending. In this case, the action pending is often the cleanup operation from a previous installation attempt, which can be resolved with a system reboot. - -## Extend codes - ->**Important**: Extend codes reflect the current Windows 10 upgrade process, and might change in future releases of Windows 10. The codes discussed in this section apply to Windows 10 version 1607, also known as the Anniversary Update. - -Extend codes can be matched to the phase and operation when an error occurred. To match an extend code to the phase and operation: - -1. Use the first digit to identify the phase (ex: 0x4000D = 4). -2. Use the last two digits to identify the operation (ex: 0x4000D = 0D). -3. Match the phase and operation to values in the tables provided below. - -The following tables provide the corresponding phase and operation for values of an extend code: - -
    - - - -
    Extend code: phase
    HexPhase -
    0SP_EXECUTION_UNKNOWN -
    1SP_EXECUTION_DOWNLEVEL -
    2SP_EXECUTION_SAFE_OS -
    3SP_EXECUTION_FIRST_BOOT -
    4SP_EXECUTION_OOBE_BOOT -
    5SP_EXECUTION_UNINSTALL -
    - - - - - - - -
    Extend code: operation
    - -
    HexOperation -
    0SP_EXECUTION_OP_UNKNOWN -
    1SP_EXECUTION_OP_COPY_PAYLOAD -
    2SP_EXECUTION_OP_DOWNLOAD_UPDATES -
    3SP_EXECUTION_OP_INSTALL_UPDATES -
    4SP_EXECUTION_OP_INSTALL_RECOVERY_ENVIRONMENT -
    5SP_EXECUTION_OP_INSTALL_RECOVERY_IMAGE -
    6SP_EXECUTION_OP_REPLICATE_OC -
    7SP_EXECUTION_OP_INSTALL_DRVIERS -
    8SP_EXECUTION_OP_PREPARE_SAFE_OS -
    9SP_EXECUTION_OP_PREPARE_ROLLBACK -
    ASP_EXECUTION_OP_PREPARE_FIRST_BOOT -
    BSP_EXECUTION_OP_PREPARE_OOBE_BOOT -
    CSP_EXECUTION_OP_APPLY_IMAGE -
    DSP_EXECUTION_OP_MIGRATE_DATA -
    ESP_EXECUTION_OP_SET_PRODUCT_KEY -
    FSP_EXECUTION_OP_ADD_UNATTEND -
    -    		 - -
    HexOperation -
    10SP_EXECUTION_OP_ADD_DRIVER -
    11SP_EXECUTION_OP_ENABLE_FEATURE -
    12SP_EXECUTION_OP_DISABLE_FEATURE -
    13SP_EXECUTION_OP_REGISTER_ASYNC_PROCESS -
    14SP_EXECUTION_OP_REGISTER_SYNC_PROCESS -
    15SP_EXECUTION_OP_CREATE_FILE -
    16SP_EXECUTION_OP_CREATE_REGISTRY -
    17SP_EXECUTION_OP_BOOT -
    18SP_EXECUTION_OP_SYSPREP -
    19SP_EXECUTION_OP_OOBE -
    1ASP_EXECUTION_OP_BEGIN_FIRST_BOOT -
    1BSP_EXECUTION_OP_END_FIRST_BOOT -
    1CSP_EXECUTION_OP_BEGIN_OOBE_BOOT -
    1DSP_EXECUTION_OP_END_OOBE_BOOT -
    1ESP_EXECUTION_OP_PRE_OOBE -
    1FSP_EXECUTION_OP_POST_OOBE -
    20SP_EXECUTION_OP_ADD_PROVISIONING_PACKAGE -
    -
    - -For example: An extend code of **0x4000D**, represents a problem during phase 4 (**0x4**) with data migration (**000D**). - -## Related topics - -[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) -
    [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -
    [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications) -
    [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) -
    [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) +--- +title: Upgrade error codes - Windows IT Pro +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. +keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro +author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# Upgrade error codes + +**Applies to** +- Windows 10 + +>[!NOTE] +>This is a 400 level topic (advanced).
    +>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. + + +If the upgrade process is not successful, Windows Setup will return two codes: + +1. **A result code**: The result code corresponds to a specific Win32 or NTSTATUS error. +2. **An extend code**: The extend code contains information about both the *phase* in which an error occurred, and the *operation* that was being performed when the error occurred. + +>For example, a result code of **0xC1900101** with an extend code of **0x4000D** will be returned as: **0xC1900101 - 0x4000D**. + +Note: If only a result code is returned, this can be because a tool is being used that was not able to capture the extend code. For example, if you are using the [Windows 10 Upgrade Assistant](https://support.microsoft.com/kb/3159635) then only a result code might be returned. + +>[!TIP] +>If you are unable to locate the result and extend error codes, you can attempt to find these codes using Event Viewer. For more information, see [Windows Error Reporting](windows-error-reporting.md). + +## Result codes + +>A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue.
    To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](resolution-procedures.md) section later in this article. + +The following set of result codes are associated with [Windows Setup](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options) compatibility warnings: + +| Result code | Message | Description | +| --- | --- | --- | +| 0xC1900210 | MOSETUP_E_COMPAT_SCANONLY | Setup did not find any compat issue | +| 0xC1900208 | MOSETUP_E_COMPAT_INSTALLREQ_BLOCK | Setup found an actionable compat issue, such as an incompatible app | +| 0xC1900204 | MOSETUP_E_COMPAT_MIGCHOICE_BLOCK | The migration choice selected is not available (ex: Enterprise to Home) | +| 0xC1900200 | MOSETUP_E_COMPAT_SYSREQ_BLOCK | The computer is not eligible for Windows 10 | +| 0xC190020E | MOSETUP_E_INSTALLDISKSPACE_BLOCK | The computer does not have enough free space to install | + +A list of modern setup (mosetup) errors with descriptions in the range is available in the [Resolution procedures](resolution-procedures.md#modern-setup-errors) topic in this article. + +Other result codes can be matched to the specific type of error encountered. To match a result code to an error: + +1. Identify the error code type as either Win32 or NTSTATUS using the first hexadecimal digit: +
    **8** = Win32 error code (ex: 0x**8**0070070) +
    **C** = NTSTATUS value (ex: 0x**C**1900107) +2. Write down the last 4 digits of the error code (ex: 0x8007**0070** = 0070). These digits are the actual error code type as defined in the [HRESULT](https://msdn.microsoft.com/library/cc231198.aspx) or the [NTSTATUS](https://msdn.microsoft.com/library/cc231200.aspx) structure. Other digits in the code identify things such as the device type that produced the error. +3. Based on the type of error code determined in the first step (Win32 or NTSTATUS), match the 4 digits derived from the second step to either a Win32 error code or NTSTATUS value using the following links: + - [Win32 error code](https://msdn.microsoft.com/library/cc231199.aspx) + - [NTSTATUS value](https://msdn.microsoft.com/library/cc704588.aspx) + +Examples: +- 0x80070070 + - Based on the "8" this is a Win32 error code + - The last four digits are 0070, so look up 0x00000070 in the [Win32 error code](https://msdn.microsoft.com/library/cc231199.aspx) table + - The error is: **ERROR_DISK_FULL** +- 0xC1900107 + - Based on the "C" this is an NTSTATUS error code + - The last four digits are 0107, so look up 0x00000107 in the [NTSTATUS value](https://msdn.microsoft.com/library/cc704588.aspx) table + - The error is: **STATUS_SOME_NOT_MAPPED** + +Some result codes are self-explanatory, whereas others are more generic and require further analysis. In the examples shown above, ERROR_DISK_FULL indicates that the hard drive is full and additional room is needed to complete Windows upgrade. The message STATUS_SOME_NOT_MAPPED is more ambiguous, and means that an action is pending. In this case, the action pending is often the cleanup operation from a previous installation attempt, which can be resolved with a system reboot. + +## Extend codes + +>**Important**: Extend codes reflect the current Windows 10 upgrade process, and might change in future releases of Windows 10. The codes discussed in this section apply to Windows 10 version 1607, also known as the Anniversary Update. + +Extend codes can be matched to the phase and operation when an error occurred. To match an extend code to the phase and operation: + +1. Use the first digit to identify the phase (ex: 0x4000D = 4). +2. Use the last two digits to identify the operation (ex: 0x4000D = 0D). +3. Match the phase and operation to values in the tables provided below. + +The following tables provide the corresponding phase and operation for values of an extend code: + +
    + + + +
    Extend code: phase
    HexPhase +
    0SP_EXECUTION_UNKNOWN +
    1SP_EXECUTION_DOWNLEVEL +
    2SP_EXECUTION_SAFE_OS +
    3SP_EXECUTION_FIRST_BOOT +
    4SP_EXECUTION_OOBE_BOOT +
    5SP_EXECUTION_UNINSTALL +
    + + + + + + + +
    Extend code: operation
    + +
    HexOperation +
    0SP_EXECUTION_OP_UNKNOWN +
    1SP_EXECUTION_OP_COPY_PAYLOAD +
    2SP_EXECUTION_OP_DOWNLOAD_UPDATES +
    3SP_EXECUTION_OP_INSTALL_UPDATES +
    4SP_EXECUTION_OP_INSTALL_RECOVERY_ENVIRONMENT +
    5SP_EXECUTION_OP_INSTALL_RECOVERY_IMAGE +
    6SP_EXECUTION_OP_REPLICATE_OC +
    7SP_EXECUTION_OP_INSTALL_DRVIERS +
    8SP_EXECUTION_OP_PREPARE_SAFE_OS +
    9SP_EXECUTION_OP_PREPARE_ROLLBACK +
    ASP_EXECUTION_OP_PREPARE_FIRST_BOOT +
    BSP_EXECUTION_OP_PREPARE_OOBE_BOOT +
    CSP_EXECUTION_OP_APPLY_IMAGE +
    DSP_EXECUTION_OP_MIGRATE_DATA +
    ESP_EXECUTION_OP_SET_PRODUCT_KEY +
    FSP_EXECUTION_OP_ADD_UNATTEND +
    +    		 + +
    HexOperation +
    10SP_EXECUTION_OP_ADD_DRIVER +
    11SP_EXECUTION_OP_ENABLE_FEATURE +
    12SP_EXECUTION_OP_DISABLE_FEATURE +
    13SP_EXECUTION_OP_REGISTER_ASYNC_PROCESS +
    14SP_EXECUTION_OP_REGISTER_SYNC_PROCESS +
    15SP_EXECUTION_OP_CREATE_FILE +
    16SP_EXECUTION_OP_CREATE_REGISTRY +
    17SP_EXECUTION_OP_BOOT +
    18SP_EXECUTION_OP_SYSPREP +
    19SP_EXECUTION_OP_OOBE +
    1ASP_EXECUTION_OP_BEGIN_FIRST_BOOT +
    1BSP_EXECUTION_OP_END_FIRST_BOOT +
    1CSP_EXECUTION_OP_BEGIN_OOBE_BOOT +
    1DSP_EXECUTION_OP_END_OOBE_BOOT +
    1ESP_EXECUTION_OP_PRE_OOBE +
    1FSP_EXECUTION_OP_POST_OOBE +
    20SP_EXECUTION_OP_ADD_PROVISIONING_PACKAGE +
    +
    + +For example: An extend code of **0x4000D**, represents a problem during phase 4 (**0x4**) with data migration (**000D**). + +## Related topics + +[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) +
    [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) +
    [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-/ifications) +
    [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) +
    [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) diff --git a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md index 253142dec4..43bc14033a 100644 --- a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md +++ b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md @@ -14,7 +14,7 @@ ms.collection: M365-analytics # Upgrade Readiness - Additional insights >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). This topic provides information on additional features that are available in Upgrade Readiness to provide insights into your environment. These include: diff --git a/windows/deployment/upgrade/upgrade-readiness-architecture.md b/windows/deployment/upgrade/upgrade-readiness-architecture.md index d9bc229c23..73b74906d7 100644 --- a/windows/deployment/upgrade/upgrade-readiness-architecture.md +++ b/windows/deployment/upgrade/upgrade-readiness-architecture.md @@ -14,7 +14,7 @@ ms.collection: M365-analytics # Upgrade Readiness architecture >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). Microsoft analyzes system, application, and driver diagnostic data to help you determine when computers are upgrade-ready, allowing you to simplify and accelerate Windows upgrades in your organization. The diagram below illustrates how Upgrade Readiness components work together in a typical installation. diff --git a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md index 322316fb07..af934eec08 100644 --- a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md +++ b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md @@ -17,7 +17,7 @@ ms.collection: M365-analytics # Upgrade Readiness data sharing >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). To enable data sharing with the Upgrade Readiness solution, double-check the endpoints list in [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md#enable-data-sharing) to be sure they are whitelisted. diff --git a/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md b/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md index eb4c1d88d8..7ae486f5d3 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md +++ b/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md @@ -14,7 +14,7 @@ ms.collection: M365-analytics # Upgrade Readiness - Step 3: Deploy Windows >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). All of your work up to now involved reviewing and resolving application and driver issues. Along the way, as you’ve resolved issues and decided which applications and drivers are ready to upgrade, you’ve been building a list of computers that are upgrade ready. The blades in the **Deploy** section are: diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md index a56896ded3..47787f4477 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md +++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md @@ -17,7 +17,7 @@ ms.collection: M365-analytics # Upgrade Readiness deployment script >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). To automate the steps provided in [Get started with Upgrade Readiness](upgrade-readiness-get-started.md), and to troubleshoot data sharing issues, you can run the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409), developed by Microsoft. diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md index bbac04bea3..0e4b6350ae 100644 --- a/windows/deployment/upgrade/upgrade-readiness-get-started.md +++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md @@ -19,7 +19,7 @@ ms.collection: M365-analytics # Get started with Upgrade Readiness >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). This topic explains how to obtain and configure Upgrade Readiness for your organization. diff --git a/windows/deployment/upgrade/upgrade-readiness-identify-apps.md b/windows/deployment/upgrade/upgrade-readiness-identify-apps.md index 61818a5efc..d726afe37b 100644 --- a/windows/deployment/upgrade/upgrade-readiness-identify-apps.md +++ b/windows/deployment/upgrade/upgrade-readiness-identify-apps.md @@ -14,7 +14,7 @@ ms.collection: M365-analytics # Upgrade Readiness - Step 1: Identify important apps >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). This is the first step of the Upgrade Readiness workflow. In this step, applications are listed and grouped by importance level. Setting the importance level enables you to prioritize applications for upgrade. diff --git a/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md b/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md index 7fdb58ffe0..76c3f064ee 100644 --- a/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md +++ b/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md @@ -16,7 +16,7 @@ ms.collection: M365-analytics # Upgrade Readiness - Step 4: Monitor >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). Now that you have started deploying an update with Upgrade Readiness, you can use it to monitor important elements. diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md index 5de1e052e6..b200bd292e 100644 --- a/windows/deployment/upgrade/upgrade-readiness-requirements.md +++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md @@ -16,7 +16,7 @@ ms.collection: M365-analytics # Upgrade Readiness requirements >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). This article introduces concepts and steps needed to get up and running with Upgrade Readiness. We recommend that you review this list of requirements before getting started as you may need to collect information, such as account credentials, and get approval from internal IT groups, such as your network security group, before you can start using Upgrade Readiness. diff --git a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md index 2c58536bd5..d657b61baa 100644 --- a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md +++ b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md @@ -16,7 +16,7 @@ ms.collection: M365-analytics # Upgrade Readiness - Step 2: Resolve app and driver issues >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). This section of the Upgrade Readiness workflow reports application and driver inventory and shows you which applications have known issues, which applications have no known issues, and which drivers have issues. We identify applications and drivers that need attention and suggest fixes when we know about them. @@ -107,7 +107,7 @@ If you query with RollupLevel="NamePublisher", each version of the application c > > Upgrade Readiness also has a roll up level of **NamePublisher**, This level enables you to ignore different app versions within your organization for a particular app. In other words, **NamePublisher** displays statistics about a given app, aggregated across all versions. -The following table lists possible values for **ReadyForWindows** and what they mean. For more information, see [What does the Adoption Status mean?](https://developer.microsoft.com/en-us/windows/ready-for-windows#/faq/?scrollTo=faqStatuses) +The following table lists possible values for **ReadyForWindows** and what they mean. For more information, see [What does the Adoption Status mean?](https://developer.microsoft.com/windows/ready-for-windows#/faq/?scrollTo=faqStatuses) | Ready for Windows Status | Query rollup level | What this means | Guidance | |-------------------|--------------------------|-----------------|----------| @@ -174,7 +174,7 @@ Planning and executing an OS upgrade project can be overwhelming. When you are t The Upgrade Readiness proposed action plan is an optimally ordered list of apps and drivers that are in need of review. By testing apps and drivers in the order suggested by the proposed action plan, you are able to increase your number of “Ready to upgrade” computers in an efficient manner. The action plan can be a very powerful tool during upgrade planning – but it’s most helpful when it’s used correctly. This topic explains the proposed action plan, describes how to use it, and calls out a few misconceptions and invalid use cases that you should avoid. -The proposed action plan represents the order thath Microsoft recommends you rationalize the upgrade-readiness of your apps and drivers. By validating apps and drivers in the order proposed, you can ensure that you are testing efficiently. +The proposed action plan represents the order that Microsoft recommends you rationalize the upgrade-readiness of your apps and drivers. By validating apps and drivers in the order proposed, you can ensure that you are testing efficiently. Each item in the proposed action plan represents either an application or a driver that you have not yet marked “Ready to upgrade.” diff --git a/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md index 78c11d1569..314fd7a5a2 100644 --- a/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md +++ b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md @@ -14,7 +14,7 @@ ms.collection: M365-analytics # Targeting a new operating system version >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). After you've used Upgrade Readiness to help deploy a given version of Windows 10, you might want to use it again to help deploy a newer version of Windows 10. When you change the target operating system version (as described in [Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades.md#target-version)), the app states (Importance, AppOwner, UpgradeDecision, TestPlan, and TestResult) are not reset. Follow this guidance to preserve or reset these states as needed: diff --git a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md index 78ad55ad25..5a4b7b9357 100644 --- a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md +++ b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md @@ -14,7 +14,7 @@ ms.collection: M365-analytics # Upgrade Readiness - Upgrade overview >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). The first blade in the Upgrade Readiness solution is the upgrade overview blade. This blade displays the total count of computers sharing data with Microsoft, and the count of computers upgraded. As you successfully upgrade computers, the count of computers upgraded increases. diff --git a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md index 8faa48539f..f2fffff9ad 100644 --- a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md +++ b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md @@ -15,7 +15,7 @@ ms.topic: article # Use Upgrade Readiness to manage Windows upgrades >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). >[!IMPORTANT] >>**The OMS portal has been deprecated, so you need to switch to the [Azure portal](https://portal.azure.com) now.** The two portals offer the same experience, with some key differences. Learn how to use [Windows Analytics in the Azure Portal](../update/windows-analytics-azure-portal.md). Find out more about the [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition), or jump right in and [Get started with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-get-started). diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md index 77f1ae38b0..499fef06bd 100644 --- a/windows/deployment/upgrade/windows-error-reporting.md +++ b/windows/deployment/upgrade/windows-error-reporting.md @@ -9,7 +9,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy -audience: itpro author: greg-lindsay +audience: itpro +author: greg-lindsay ms.localizationpriority: medium ms.topic: article --- @@ -19,7 +20,7 @@ ms.topic: article **Applies to** - Windows 10 ->[!NOTE] +> [!NOTE] > This is a 300 level topic (moderately advanced). > See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. @@ -28,8 +29,8 @@ When Windows Setup fails, the result and extend code are recorded as an informat To use Windows PowerShell, type the following commands from an elevated Windows PowerShell prompt: ->[!IMPORTANT] ->}The following source will be available only if you have updated from a previous version of Windows 10 to a new version. If you installed the current version and have not updated, the source named **WinSetupDiag02** will be unavailable. +> [!IMPORTANT] +> The following source will be available only if you have updated from a previous version of Windows 10 to a new version. If you installed the current version and have not updated, the source named **WinSetupDiag02** will be unavailable. ```Powershell $events = Get-WinEvent -FilterHashtable @{LogName="Application";ID="1001";Data="WinSetupDiag02"} diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md index b76cb0ec72..096ebe1151 100644 --- a/windows/deployment/windows-autopilot/add-devices.md +++ b/windows/deployment/windows-autopilot/add-devices.md @@ -27,7 +27,7 @@ Before deploying a device using Windows Autopilot, the device must be registered ## OEM registration -When you purchase devices directly from an OEM, that OEM can automatically register the devices with the Windows Autopilot deployment service. For the list of OEMs that currently support this, see the "Participant device manufacturers" section of the [Windows Autopilot information page](https://www.microsoft.com/windowsforbusiness/windows-autopilot). +When you purchase devices directly from an OEM, that OEM can automatically register the devices with the Windows Autopilot deployment service. For the list of OEMs that currently support this, see the "Participant device manufacturers and resellers" section of the [Windows Autopilot information page](https://aka.ms/windowsautopilot). Before an OEM can register devices on behalf of an organization, the organization must grant the OEM permission to do so. This process is initiated by the OEM, with approval granted by an Azure AD global administrator from the organization. See the "Customer Consent" section of the [Customer consent page](https://docs.microsoft.com/windows/deployment/windows-autopilot/registration-auth#oem-authorization). diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index 294a31c04b..42b356bd61 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -653,7 +653,7 @@ Before we can pull an application into Intune to make it part of our AP profile, For the purposes of this lab, we’ll use the Notepad++ tool as our Win32 app. -Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available) and then opy the file to a known location, such as C:\Notepad++msi. +Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available) and then copy the file to a known location, such as C:\Notepad++msi. Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example: @@ -736,7 +736,7 @@ In the **Intune > Client Apps > Apps** pane, select the app package you already Select **Add Group** to open the **Add group** pane that is related to the app. -For our purposes, select *8Required** from the **Assignment type** dropdown menu: +For our purposes, select **Required** from the **Assignment type** dropdown menu: >**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website. @@ -758,7 +758,7 @@ In the app **Assignments** pane, select **Save**. At this point, you have completed steps to add a Win32 app to Intune. -For more information on adding adds to Intune, see [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps-win32-app-management). +For more information on adding apps to Intune, see [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps-win32-app-management). ### Add Office 365 diff --git a/windows/keep-secure/docfx.json b/windows/keep-secure/docfx.json index 49eb6c151a..884e478dcb 100644 --- a/windows/keep-secure/docfx.json +++ b/windows/keep-secure/docfx.json @@ -30,6 +30,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "feedback_system": "None", "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.keep-secure", diff --git a/windows/release-information/resolved-issues-windows-10-1903.yml b/windows/release-information/resolved-issues-windows-10-1903.yml index 9226fbbd4e..9de5f0a7b9 100644 --- a/windows/release-information/resolved-issues-windows-10-1903.yml +++ b/windows/release-information/resolved-issues-windows-10-1903.yml @@ -32,6 +32,7 @@ sections: - type: markdown text: " + @@ -131,6 +132,7 @@ sections: - type: markdown text: "
    SummaryOriginating updateStatusDate resolved
    Cannot launch Camera app
    Microsoft and Intel have identified an issue affecting Intel RealSense SR300 or Intel RealSense S200 camera apps.

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Resolved
    KB4501375    		June 27, 2019
    10:00 AM PT
    Unable to discover or connect to Bluetooth devices using some Qualcomm adapters
    Microsoft has identified compatibility issues with some versions of Qualcomm Bluetooth radio drivers.

    See details >    		OS Build 18362.116

    May 20, 2019
    KB4505057    		Resolved
    KB4517389    		October 08, 2019
    10:00 AM PT
    Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters
    Some devices with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards may experience compatibility issues.

    See details >    		N/A

    		Resolved
    KB4522355    		October 24, 2019
    10:00 AM PT
    dGPU occasionally disappear from device manager on Surface Book 2
    Some apps or games may close or fail to open on Surface Book 2 devices with Nvidia dGPU.

    See details >    		OS Build 18362.145

    May 29, 2019
    KB4497935    		Resolved
    		October 18, 2019
    04:33 PM PT
    + diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml index 217b281dbc..4b805689da 100644 --- a/windows/release-information/status-windows-10-1709.yml +++ b/windows/release-information/status-windows-10-1709.yml @@ -60,6 +60,7 @@ sections: - type: markdown text: "
    This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

    DetailsOriginating updateStatusHistory
    Cannot launch Camera app
    Microsoft and Intel have identified an issue affecting Intel RealSense SR300 and Intel RealSense S200 cameras when using the Camera app. After updating to the Windows 10 May 2019 Update and launching the Camera app, you may get an error message stating:
            \"Close other apps, error code: 0XA00F4243.”

    To safeguard your update experience, we have applied a protective hold on machines with Intel RealSense SR300 or Intel RealSense S200 cameras installed from being offered Windows 10, version 1903, until this issue is resolved.

    Affected platforms:
    • Client: Windows 10, version 1903
    Resolution: This issue was resolved in KB4501375 and the safeguard hold has been removed.

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Resolved
    KB4501375    		Resolved:
    June 27, 2019
    10:00 AM PT

    Opened:
    May 21, 2019
    07:20 AM PT
    Windows Sandbox may fail to start with error code “0x80070002”
    Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.

    Affected platforms:
    • Client: Windows 10, version 1903
    Resolution: This issue was resolved in KB4512941.

    Back to top    		OS Build 18362.116

    May 20, 2019
    KB4505057    		Resolved
    KB4512941    		Resolved:
    August 30, 2019
    10:00 AM PT

    Opened:
    May 24, 2019
    04:20 PM PT
    Display brightness may not respond to adjustments
    Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers. After updating to Windows 10, version 1903, brightness settings may sometime appear as if changes applied took effect, yet the actual display brightness doesn't change.

    To safeguard your update experience, we have applied a compatibility hold on devices with certain Intel drivers from being offered Windows 10, version 1903, until this issue is resolved.

    Affected platforms:
    • Client: Windows 10, version 1903
    Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed. Please ensure you have applied the resolving update before attempting to update to the Windows 10 May 2019 Update (version 1903). Please note, it can take up to 48 hours for the safeguard to be removed.

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Resolved
    KB4505903    		Resolved:
    July 26, 2019
    02:00 PM PT

    Opened:
    May 21, 2019
    07:56 AM PT
    Loss of functionality in Dynabook Smartphone Link app
    Some users may experience a loss of functionality after updating to Windows 10, version 1903 when using the Dynabook Smartphone Link application on Windows devices. Loss of functionality may affect the display of phone numbers in the Call menu and the ability to answer phone calls on the Windows PC.

    To safeguard your update experience, we have applied a compatibility hold on devices with Dynabook Smartphone Link from being offered Windows 10, version 1903, until this issue is resolved.

    Affected platforms:
    • Client: Windows 10, version 1903
    Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

    Back to top    		OS Build 18362.116

    May 20, 2019
    KB4505057    		Resolved
    		Resolved:
    July 11, 2019
    01:54 PM PT

    Opened:
    May 24, 2019
    03:10 PM PT
    +
    SummaryOriginating updateStatusLast updated
    Unable to create local users in Chinese, Japanese and Korean during device setup
    You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

    See details >    		OS Build 16299.1387

    September 10, 2019
    KB4516066    		Mitigated
    		October 29, 2019
    05:15 PM PT
    Intermittent issues when printing
    The print spooler service may intermittently have issues completing a print job and results print job failure.

    See details >    		OS Build 16299.1392

    September 23, 2019
    KB4522012    		Resolved
    KB4520004    		October 08, 2019
    10:00 AM PT
    Certain operations performed on a Cluster Shared Volume may fail
    Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

    See details >    		OS Build 16299.904

    January 08, 2019
    KB4480978    		Mitigated
    		April 25, 2019
    02:00 PM PT
    @@ -72,6 +73,15 @@ sections:
    " +- title: October 2019 +- items: + - type: markdown + text: " + + +
    DetailsOriginating updateStatusHistory
    Unable to create local users in Chinese, Japanese and Korean during device setup
    When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.

    Note This issue does not affect using a Microsoft Account during OOBE.

    Affected platforms:
    • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
    • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
    Workaround: To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using these instructions. If you prefer to create a new local user, see KB4026923.

    Next steps: We are working on a resolution and estimate a solution will be available in late November.

    Back to top    		OS Build 16299.1387

    September 10, 2019
    KB4516066    		Mitigated
    		Last updated:
    October 29, 2019
    05:15 PM PT

    Opened:
    October 29, 2019
    05:15 PM PT
    + " + - title: September 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml index 9480e53e4d..9f994933b5 100644 --- a/windows/release-information/status-windows-10-1803.yml +++ b/windows/release-information/status-windows-10-1803.yml @@ -64,6 +64,7 @@ sections: - type: markdown text: "
    This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

    + @@ -78,6 +79,15 @@ sections:
    " +- title: October 2019 +- items: + - type: markdown + text: " +
    SummaryOriginating updateStatusLast updated
    Unable to create local users in Chinese, Japanese and Korean during device setup
    You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

    See details >    		OS Build 17134.1006

    September 10, 2019
    KB4516058    		Mitigated
    		October 29, 2019
    05:15 PM PT
    Windows Mixed Reality Portal users may intermittently receive a 15-5 error code
    You may receive a 15-5 error code in Windows Mixed Reality Portal and your headset may not wake up from sleep.

    See details >    		OS Build 17134.950

    August 13, 2019
    KB4512501    		Resolved
    KB4519978    		October 15, 2019
    10:00 AM PT
    Startup to a black screen after installing updates
    Your device may startup to a black screen during the first logon after installing updates.

    See details >    		OS Build 17134.829

    June 11, 2019
    KB4503286    		Resolved
    KB4519978    		October 15, 2019
    10:00 AM PT
    Intermittent issues when printing
    The print spooler service may intermittently have issues completing a print job and results print job failure.

    See details >    		OS Build 17134.1009

    September 23, 2019
    KB4522014    		Resolved
    KB4520008    		October 08, 2019
    10:00 AM PT
    + +
    DetailsOriginating updateStatusHistory
    Unable to create local users in Chinese, Japanese and Korean during device setup
    When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.

    Note This issue does not affect using a Microsoft Account during OOBE.

    Affected platforms:
    • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
    • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
    Workaround: To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using these instructions. If you prefer to create a new local user, see KB4026923.

    Next steps: We are working on a resolution and estimate a solution will be available in late November.

    Back to top    		OS Build 17134.1006

    September 10, 2019
    KB4516058    		Mitigated
    		Last updated:
    October 29, 2019
    05:15 PM PT

    Opened:
    October 29, 2019
    05:15 PM PT
    + " + - title: September 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml index 101cc52d36..e26bde9233 100644 --- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml @@ -64,6 +64,7 @@ sections: - type: markdown text: "
    This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

    + @@ -85,6 +86,7 @@ sections: - type: markdown text: "
    SummaryOriginating updateStatusLast updated
    Unable to create local users in Chinese, Japanese and Korean during device setup
    You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

    See details >    		OS Build 17763.737

    September 10, 2019
    KB4512578    		Mitigated
    		October 29, 2019
    05:15 PM PT
    Microsoft Defender Advanced Threat Protection might stop running
    The Microsoft Defender ATP service might stop running and might fail to send reporting data.

    See details >    		OS Build 17763.832

    October 15, 2019
    KB4520062    		Investigating
    		October 18, 2019
    04:23 PM PT
    Windows Mixed Reality Portal users may intermittently receive a 15-5 error code
    You may receive a 15-5 error code in Windows Mixed Reality Portal and your headset may not wake up from sleep.

    See details >    		OS Build 17763.678

    August 13, 2019
    KB4511553    		Resolved
    KB4520062    		October 15, 2019
    10:00 AM PT
    Startup to a black screen after installing updates
    Your device may startup to a black screen during the first logon after installing updates.

    See details >    		OS Build 17763.557

    June 11, 2019
    KB4503327    		Resolved
    KB4520062    		October 15, 2019
    10:00 AM PT
    +
    DetailsOriginating updateStatusHistory
    Unable to create local users in Chinese, Japanese and Korean during device setup
    When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.

    Note This issue does not affect using a Microsoft Account during OOBE.

    Affected platforms:
    • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
    • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
    Workaround: To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using these instructions. If you prefer to create a new local user, see KB4026923.

    Next steps: We are working on a resolution and estimate a solution will be available in late November.

    Back to top    		OS Build 17763.737

    September 10, 2019
    KB4512578    		Mitigated
    		Last updated:
    October 29, 2019
    05:15 PM PT

    Opened:
    October 29, 2019
    05:15 PM PT
    Microsoft Defender Advanced Threat Protection might stop running
    After installing the optional non-security update (KB4520062), the Microsoft Defender Advanced Threat Protection (ATP) service might stop running and might fail to send reporting data. You might also receive a 0xc0000409 error in Event Viewer on MsSense.exe.

    Note Microsoft Windows Defender Antivirus is not affected by this issue.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
    • Server: Windows Server, version 1809; Windows Server 2019
    Next steps: At this time, we suggest that devices in an affected environment do not install the optional non-security update, KB4520062. We are working on a resolution and estimate a solution will be available in mid-November.

    Back to top    		OS Build 17763.832

    October 15, 2019
    KB4520062    		Investigating
    		Last updated:
    October 18, 2019
    04:23 PM PT

    Opened:
    October 17, 2019
    05:14 PM PT
    " diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml index ba1a2faffc..01ae8568a1 100644 --- a/windows/release-information/status-windows-10-1903.yml +++ b/windows/release-information/status-windows-10-1903.yml @@ -64,6 +64,8 @@ sections: - type: markdown text: "
    This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

    + + @@ -73,7 +75,6 @@ sections: -
    SummaryOriginating updateStatusLast updated
    Unable to create local users in Chinese, Japanese and Korean during device setup
    You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

    See details >    		OS Build 18362.356

    September 10, 2019
    KB4515384    		Mitigated
    		October 29, 2019
    05:15 PM PT
    Cannot launch Camera app
    Microsoft and Intel have identified an issue affecting Intel RealSense SR300 or Intel RealSense S200 camera apps.

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Resolved
    KB4501375    		June 27, 2019
    10:00 AM PT
    Unable to discover or connect to Bluetooth devices using some Qualcomm adapters
    Microsoft has identified compatibility issues with some versions of Qualcomm Bluetooth radio drivers.

    See details >    		OS Build 18362.116

    May 20, 2019
    KB4505057    		Resolved
    KB4517389    		October 08, 2019
    10:00 AM PT
    Unable to discover or connect to Bluetooth devices using some Realtek adapters
    Microsoft has identified compatibility issues with some versions of Realtek Bluetooth radio drivers.

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated
    		October 25, 2019
    04:21 PM PT
    Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters
    Some devices with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards may experience compatibility issues.

    See details >    		N/A

    		Resolved
    KB4522355    		October 24, 2019
    10:00 AM PT
    Intermittent loss of Wi-Fi connectivity
    Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver.

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated External
    		August 01, 2019
    08:44 PM PT
    Gamma ramps, color profiles, and night light settings do not apply in some cases
    Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated
    		August 01, 2019
    06:27 PM PT
    Intel Audio displays an intcdaud.sys notification
    Devices with a range of Intel Display Audio device drivers may experience battery drain.

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated
    		May 21, 2019
    04:47 PM PT
    Cannot launch Camera app
    Microsoft and Intel have identified an issue affecting Intel RealSense SR300 or Intel RealSense S200 camera apps.

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated
    		May 21, 2019
    04:47 PM PT
    " @@ -89,6 +90,7 @@ sections: - type: markdown text: " +
    DetailsOriginating updateStatusHistory
    Unable to create local users in Chinese, Japanese and Korean during device setup
    When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.

    Note This issue does not affect using a Microsoft Account during OOBE.

    Affected platforms:
    • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
    • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
    Workaround: To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using these instructions. If you prefer to create a new local user, see KB4026923.

    Next steps: We are working on a resolution and estimate a solution will be available in late November.

    Back to top    		OS Build 18362.356

    September 10, 2019
    KB4515384    		Mitigated
    		Last updated:
    October 29, 2019
    05:15 PM PT

    Opened:
    October 29, 2019
    05:15 PM PT
    Unable to discover or connect to Bluetooth devices using some Qualcomm adapters
    Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Qualcomm. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Qualcomm Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

    Affected platforms:
    • Client: Windows 10, version 1903
    • Server: Windows Server, version 1903
    Resolution: This issue was resolved in KB4517389 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903.

    Back to top    		OS Build 18362.116

    May 20, 2019
    KB4505057    		Resolved
    KB4517389    		Resolved:
    October 08, 2019
    10:00 AM PT

    Opened:
    October 25, 2019
    04:21 PM PT
    " @@ -126,10 +128,10 @@ sections: - type: markdown text: " + -
    DetailsOriginating updateStatusHistory
    Cannot launch Camera app
    Microsoft and Intel have identified an issue affecting Intel RealSense SR300 and Intel RealSense S200 cameras when using the Camera app. After updating to the Windows 10 May 2019 Update and launching the Camera app, you may get an error message stating:
            \"Close other apps, error code: 0XA00F4243.”

    To safeguard your update experience, we have applied a protective hold on machines with Intel RealSense SR300 or Intel RealSense S200 cameras installed from being offered Windows 10, version 1903, until this issue is resolved.

    Affected platforms:
    • Client: Windows 10, version 1903
    Resolution: This issue was resolved in KB4501375 and the safeguard hold has been removed.

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Resolved
    KB4501375    		Resolved:
    June 27, 2019
    10:00 AM PT

    Opened:
    May 21, 2019
    07:20 AM PT
    Unable to discover or connect to Bluetooth devices using some Realtek adapters
    Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

    Affected platforms:
    • Client: Windows 10, version 1903
    • Server: Windows Server, version 1903
    Workaround: Check with your device manufacturer (OEM) to see if an updated driver is available and install it. You will need to install a Realtek driver version greater than 1.5.1011.0.

    Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool. 

    Next steps: Microsoft is working with Realtek to release new drivers for all affected system via Windows Update.

    October 25, 2019 note This issue was previously grouped with the Qualcomm radio issue, which is now resolved. There is no change to this issue except to remove reference to Qualcomm.

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated
    		Last updated:
    October 25, 2019
    04:21 PM PT

    Opened:
    May 21, 2019
    07:29 AM PT
    Intermittent loss of Wi-Fi connectivity
    Some older computers may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).

    To safeguard your upgrade experience, we have applied a hold on devices with this Qualcomm driver from being offered Windows 10, version 1903, until the updated driver is installed.

    Affected platforms:
    • Client: Windows 10, version 1903
    Workaround: Before updating to Windows 10, version 1903, you will need to download and install an updated Wi-Fi driver from your device manufacturer (OEM).
     
    Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you.

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated External
    		Last updated:
    August 01, 2019
    08:44 PM PT

    Opened:
    May 21, 2019
    07:13 AM PT
    Gamma ramps, color profiles, and night light settings do not apply in some cases
    Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

    Microsoft has identified some scenarios in which these features may have issues or stop working, for example:
    • Connecting to (or disconnecting from) an external monitor, dock, or projector
    • Rotating the screen
    • Updating display drivers or making other display mode changes
    • Closing full screen applications
    • Applying custom color profiles
    • Running applications that rely on custom gamma ramps
    Affected platforms:
    • Client: Windows 10, version 1903
    Workaround: If you find that your night light has stopped working, try turning the night light off and on, or restarting your computer. For other color setting issues, restart your computer to correct the issue.

    Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

    Next steps: We are working on a resolution and will provide an update in an upcoming release.

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated
    		Last updated:
    August 01, 2019
    06:27 PM PT

    Opened:
    May 21, 2019
    07:28 AM PT
    Intel Audio displays an intcdaud.sys notification
    Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in higher than normal battery drain. If you see an intcdaud.sys notification or “What needs your attention” notification when trying to update to Windows 10, version 1903, you have an affected Intel Audio Display device driver installed on your machine (intcdaud.sys, versions 10.25.0.3 through 10.25.0.8).
      
    To safeguard your update experience, we have applied a compatibility hold on devices with drivers from being offered Windows 10, version 1903 until updated device drivers have been installed.

    Affected platforms:
    • Client: Windows 10, version 1903; Windows 10, version 1809
    Workaround:
    On the “What needs your attention\" notification, click the Back button to remain on your current version of Windows 10. (Do not click Confirm as this will proceed with the update and you may experience compatibility issues.) Affected devices will automatically revert to the previous working configuration.

    For more information, see Intel's customer support guidance and the Microsoft knowledge base article KB4465877.

    Note We recommend you do not attempt to update your devices until newer device drivers are installed.

    Next steps: You can opt to wait for newer drivers to be installed automatically through Windows Update or check with the computer manufacturer for the latest device driver software availability and installation procedures.

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated
    		Last updated:
    May 21, 2019
    04:47 PM PT

    Opened:
    May 21, 2019
    07:22 AM PT
    Cannot launch Camera app
    Microsoft and Intel have identified an issue affecting Intel RealSense SR300 and Intel RealSense S200 cameras when using the Camera app. After updating to the Windows 10 May 2019 Update and launching the Camera app, you may get an error message stating:

    \"Close other apps, error code: 0XA00F4243.”


    To safeguard your update experience, we have applied a protective hold on machines with Intel RealSense SR300 or Intel RealSense S200 cameras installed from being offered Windows 10, version 1903, until this issue is resolved.

    Affected platforms:
    • Client: Windows 10, version 1903
    Workaround: To temporarily resolve this issue, perform one of the following:

    • Unplug your camera and plug it back in.

    or

    • Disable and re-enable the driver in Device Manager. In the Search box, type \"Device Manager\" and press Enter. In the Device Manager dialog box, expand Cameras, then right-click on any RealSense driver listed and select Disable device. Right click on the driver again and select Enable device.

    or

    • Restart the RealSense service. In the Search box, type \"Task Manager\" and hit Enter. In the Task Manager dialog box, click on the Services tab, right-click on RealSense, and select Restart
    Note This workaround will only resolve the issue until your next system restart.

    Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

    Next steps: We are working on a resolution and will provide an update in an upcoming release.

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated
    		Last updated:
    May 21, 2019
    04:47 PM PT

    Opened:
    May 21, 2019
    07:20 AM PT
    " diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index f00875d1a2..c1a9b60e79 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -23,19 +23,21 @@ In Windows 10, Windows Hello for Business replaces passwords with strong two-fa Windows Hello for Business lets user authenticate to an Active Directory or Azure Active Directory account. Windows Hello addresses the following problems with passwords: -- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites. -- Server breaches can expose symmetric network credentials (passwords). -- Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673). -- Users can inadvertently expose their passwords due to [phishing attacks](https://docs.microsoft.com/windows/security/threat-protection/intelligence/phishing). + +- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites. +- Server breaches can expose symmetric network credentials (passwords). +- Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673). +- Users can inadvertently expose their passwords due to [phishing attacks](https://docs.microsoft.com/windows/security/threat-protection/intelligence/phishing). >[!div class="mx-tdBreakAll"] >| | | | >| :---: | :---: | :---: | >| [![Overview Icon](images/hello_filter.png)](hello-overview.md)
    [Overview](hello-overview.md) | [![Why a PIN is better than a password Icon](images/hello_lock.png)](hello-why-pin-is-better-than-password.md)
    [Why PIN is better than a password](hello-why-pin-is-better-than-password.md) | [![Manage Hello Icon](images/hello_gear.png)](hello-manage-in-organization.md)
    [Manage Windows Hello in your Organization](hello-manage-in-organization.md) | -## Prerequisites +## Prerequisites ### Cloud Only Deployment + * Windows 10, version 1511 or later * Microsoft Azure Account * Azure Active Directory @@ -44,6 +46,7 @@ Windows Hello addresses the following problems with passwords: * Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory ### Hybrid Deployments + The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process. | Key trust
    Group Policy managed | Certificate trust
    Mixed managed | Key trust
    Modern managed | Certificate trust
    Modern managed | @@ -54,25 +57,26 @@ The table shows the minimum requirements for each deployment. For key trust in a | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | | N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients),
    and
    Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service | -| Azure MFA tenant, or
    AD FS w/Azure MFA adapter, or
    AD FS w/Azure MFA Server adapter, or
    AD FS w/3rd Party MFA Adapter| Azure MFA tenant, or
    AD FS w/Azure MFA adapter, or
    AD FS w/Azure MFA Server adapter, or
    AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
    AD FS w/Azure MFA adapter, or
    AD FS w/Azure MFA Server adapter, or
    AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
    AD FS w/Azure MFA adapter, or
    AD FS w/Azure MFA Server adapter, or
    AD FS w/3rd Party MFA Adapter | +| Azure MFA tenant, or
    AD FS w/Azure MFA adapter, or
    AD FS w/3rd Party MFA Adapter| Azure MFA tenant, or
    AD FS w/Azure MFA adapter, or
    AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
    AD FS w/Azure MFA adapter, or
    AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
    AD FS w/Azure MFA adapter, or
    AD FS w/3rd Party MFA Adapter | | Azure Account | Azure Account | Azure Account | Azure Account | | Azure Active Directory | Azure Active Directory | Azure Active Directory | Azure Active Directory | | Azure AD Connect | Azure AD Connect | Azure AD Connect | Azure AD Connect | | Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional for automatic MDM enrollment | Azure AD Premium, optional for automatic MDM enrollment | -### On-premises Deployments +### On-premises Deployments + The table shows the minimum requirements for each deployment. | Key trust
    Group Policy managed | Certificate trust
    Group Policy managed| -| --- | --- | +| --- | --- | | Windows 10, version 1703 or later | Windows 10, version 1703 or later | | Windows Server 2016 Schema | Windows Server 2016 Schema| | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) | -| AD FS with Azure MFA Server, or
    AD FS with 3rd Party MFA Adapter | AD FS with Azure MFA Server, or
    AD FS with 3rd Party MFA Adapter | +| AD FS with 3rd Party MFA Adapter | AD FS with 3rd Party MFA Adapter | | Azure Account, optional for Azure MFA billing | Azure Account, optional for Azure MFA billing | >[!IMPORTANT] -> For Windows Hello for Business deployment, if you have several domains, at least one Windows Server Domain Controller 2016 is required for each domain. For more information, see the [planning guide](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers). +> For Windows Hello for Business key trust deployments, if you have several domains, at least one Windows Server Domain Controller 2016 or newer is required for each domain. For more information, see the [planning guide](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers). diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md index 830bfcfcfc..702f62e6d4 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-events.md +++ b/windows/security/identity-protection/smart-cards/smart-card-events.md @@ -97,14 +97,14 @@ The smart card reader device name is constructed in the form <*VendorName*> | 607 | Reader object failed to start monitor thread:  %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
    %1 = Windows error code | | 608 | Reader monitor failed to create power down timer: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
    %1 = Windows error code | | 609 | Reader monitor failed to create overlapped event:  %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
    %1 = Windows error code | -| 610 | Smart Card Reader '%2' rejected IOCTL %3: %1  If this error persists, your smart card or reader may not be functioning correctly.%n%nCommand Header: %4 | The reader cannot successfully transmit the indicated IOCTL to the smart card. This can indicate hardware failure, but this error can also occur if a smart card or smart card reader is removed from the system while an operation is in progress.
    %1 = Windows error code
    %2 = Name of the smart card reader
    %3 = IOCTL that was sent
    %4 = First 4 bytes of the command sent to the smart card | +| 610 | Smart Card Reader '%2' rejected IOCTL %3: %1 If this error persists, your smart card or reader may not be functioning correctly.%n%nCommand Header: %4 | The reader cannot successfully transmit the indicated IOCTL to the smart card. This is a benign error that does not affect end use of a smart card and can be ignored.
    %1 = Windows error code
    %2 = Name of the smart card reader
    %3 = IOCTL that was sent
    %4 = First 4 bytes of the command sent to the smart card | | 611 | Smart Card Reader initialization failed | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve this issue. | | 612 | Reader insertion monitor error retry threshold reached:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
    %1 = Windows error code | | 615 | Reader removal monitor error retry threshold reached:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
    %1 = Windows error code | | 616 | Reader monitor '%2' received uncaught error code:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
    %1 = Windows error code
    %2 = Reader name | | 617 | Reader monitor '%1' exception -- exiting thread | An unknown error occurred while monitoring a smart card reader for smart card insertions and removals. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
    %1 = Smart card reader name | | 618 | Smart Card Resource Manager encountered an unrecoverable internal error. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. | -| 621 | Server Control failed to access start event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
    %1 = Windows error code | +| 621 | Server Control failed to access start event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. This error may also occur if the event is queried before the smart card service is ready. In this case the error is benign and can be ignored.
    %1 = Windows error code | | 622 | Server Control failed to access stop event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
    %1 = Windows error code | ## Smart card Plug and Play events diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md index f6d1a67328..bf7360d125 100644 --- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md +++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md @@ -49,6 +49,9 @@ The recovery process included in this topic only works for desktop devices. WIP 4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [System Center Configuration Manager](create-wip-policy-using-sccm.md). +> [!NOTE] +> This certificate can be used in Intune for policies both _with_ device enrollment (MDM) and _without_ device enrollment (MAM). + ## Verify your data recovery certificate is correctly set up on a WIP client computer 1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it’s encrypted by WIP. diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 07f4e9fc61..40cb0c1a6c 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -9,7 +9,7 @@ #### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md) #### [Configuration score](microsoft-defender-atp/configuration-score.md) #### [Security recommendation](microsoft-defender-atp/tvm-security-recommendation.md) -#### [Remediation](microsoft-defender-atp/tvm-remediation.md) +#### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md) #### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md) #### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md) #### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md) @@ -122,10 +122,13 @@ ##### [NetworkCommunicationEvents](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md) ##### [ProcessCreationEvents](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md) ##### [RegistryEvents](microsoft-defender-atp/advanced-hunting-registryevents-table.md) +##### [DeviceTvmSoftwareInventoryVulnerabilities](microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md) +##### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md) +##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md) +##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md) #### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md) #### [Stream Advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md) - #### [Custom detections]() ##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md) ##### [Create and manage custom detections rules](microsoft-defender-atp/custom-detection-rules.md) @@ -317,8 +320,12 @@ ##### [Manual deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md) #### [Update Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-updates.md) #### [Configure Microsoft Defender ATP for Mac]() +##### [Configure and validate exclusions](windows-defender-antivirus/microsoft-defender-atp-mac-exclusions.md) ##### [Set preferences for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md) ##### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/microsoft-defender-atp-mac-pua.md) +#### [Troubleshoot Microsoft Defender ATP for Mac]() +##### [Troubleshoot performance issues](windows-defender-antivirus/microsoft-defender-atp-mac-support-perf.md) +##### [Troubleshoot kernel extension issues](windows-defender-antivirus/microsoft-defender-atp-mac-support-kext.md) #### [Privacy for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md) #### [Resources for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-resources.md) diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md index 2fa857956a..74a43afb5e 100644 --- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md +++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md @@ -50,8 +50,10 @@ The following table describes the ways Microsoft Defender ATP can allow or block |----------|-------------| | [Restrict USB drives and other peripherals](#restrict-usb-drives-and-other-peripherals) | You can allow/prevent users to install only the USB drives and other peripherals included on a list of authorized/unauthorized devices or device types. | | [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | You can't install or use removable storage. | -| [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | You can only install and use approved peripherals that report specific properties in their firmware. | +| [Allow installation and usage of specifically approved peripherals](#allow-installation-and-usage-of-specifically-approved-peripherals) | You can only install and use approved peripherals that report specific properties in their firmware. | | [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | You can't install or use prohibited peripherals that report specific properties in their firmware. | +| [Allow installation and usage of specifically approved peripherals with matching device instance IDs](#allow-installation-and-usage-of-specifically-approved-peripherals-with-matching-device-instance-ids) | You can only install and use approved peripherals that match any of these device instance IDs. | +| [Prevent installation and usage of specifically prohibited peripherals with matching device instance IDs](#prevent-installation-and-usage-of-specifically-prohibited-peripherals-with-matching-device-instance-ids) | You can't install or use prohibited peripherals that match any of these device instance IDs. | | [Limit services that use Bluetooth](#limit-services-that-use-bluetooth) | You can limit the services that can use Bluetooth. | | [Use Microsoft Defender ATP baseline settings](#use-microsoft-defender-atp-baseline-settings) | You can set the recommended configuration for ATP by using the Microsoft Defender ATP security baseline. | @@ -169,7 +171,7 @@ Select-Object -Property * 7. Click **Create** to save the profile. -### Only allow installation and usage of specifically approved peripherals +### Allow installation and usage of specifically approved peripherals Peripherals that are allowed to be installed can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks and allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. @@ -183,6 +185,18 @@ Microsoft Defender ATP blocks installation and usage of prohibited peripherals b - [Administrative Templates](https://docs.microsoft.com/intune/administrative-templates-windows) can block any device with a matching hardware ID or setup class. - [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) with a custom profile in Intune. You can [prevent installation of specific device IDs](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdeviceids) or [prevent specific device classes](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdevicesetupclasses). +### Allow installation and usage of specifically approved peripherals with matching device instance IDs + +Peripherals that are allowed to be installed can be specified by their [device instance IDs](https://docs.microsoft.com/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + +You can allow installation and usage of approved peripherals with matching device instance IDs by configuring [DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdeviceinstanceids) policy setting. + +### Prevent installation and usage of specifically prohibited peripherals with matching device instance IDs + +Peripherals that are prohibited to be installed can be specified by their [device instance IDs](https://docs.microsoft.com/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + +You can prevent installation of the prohibited peripherals with matching device instance IDs by configuring [DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdeviceinstanceids) policy setting. + ### Limit services that use Bluetooth Using Intune, you can limit the services that can use Bluetooth through the ["Bluetooth allowed services"](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-bluetooth#servicesallowedlist-usage-guide). The default state of "Bluetooth allowed services" settings means everything is allowed. As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and doesn’t add the file transfer GUIDs, file transfer should be blocked. diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 663976a44a..bbba6bbb82 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -1,7 +1,7 @@ --- title: Threat Protection (Windows 10) description: Learn how Microsoft Defender ATP helps protect against threats. -keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, secure score, advanced hunting, cyber threat hunting +keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, secure score, advanced hunting, cyber threat hunting, web threat protection search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -64,7 +64,7 @@ The attack surface reduction set of capabilities provide the first line of defen - [Application control](windows-defender-application-control/windows-defender-application-control.md) - [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) - [Exploit protection](microsoft-defender-atp/exploit-protection.md) -- [Network protection](microsoft-defender-atp/network-protection.md), [Web protection](microsoft-defender-atp/web-protection-overview.md) +- [Network protection](microsoft-defender-atp/network-protection.md), [web protection](microsoft-defender-atp/web-protection-overview.md) - [Controlled folder access](microsoft-defender-atp/controlled-folders.md) - [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md) - [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md index e269b25de8..c0b6610350 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md @@ -25,6 +25,8 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +[!include[Prerelease information](prerelease.md)] + The [Advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema. ## Schema tables @@ -45,7 +47,11 @@ Table and column names are also listed within the Microsoft Defender Security Ce | **[LogonEvents](advanced-hunting-logonevents-table.md)** | Sign-ins and other authentication events | | **[ImageLoadEvents](advanced-hunting-imageloadevents-table.md)** | DLL loading events | | **[MiscEvents](advanced-hunting-miscevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection | +| **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-tvm-softwareinventory-table.md)** | Vulnerabilities in your software inventory | +| **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-tvm-softwarevulnerability-table.md)** | Publicly-available vulnerabilities and whether they exist in your software inventory | +| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-tvm-configassessment-table.md)** | Security configuration assessment information | +| **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-tvm-secureconfigkb-table.md)** | Basis of security configuration assessment such as security industry standards and benchmarks | ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) -- [Learn the query language](advanced-hunting-query-language.md) \ No newline at end of file +- [Learn the query language](advanced-hunting-query-language.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md new file mode 100644 index 0000000000..35d38020d6 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md @@ -0,0 +1,53 @@ +--- +title: DeviceTvmSecureConfigurationAssessment table in the Advanced hunting schema +description: Learn about the DeviceTvmSecureConfigurationAssessment table in the Advanced hunting schema, such as machine ID, computer name, operating system platform, security configuration details, impact, and compliance information. +keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query security configuration, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, DeviceTvmSecureConfigurationAssessment +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 10/27/2019 +--- + +# DeviceTvmSecureConfigurationAssessment + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +[!include[Prerelease information](prerelease.md)] + +Each row in the DeviceTvmSecureConfigurationAssessment table contains an assessment event for a specific security configuration. Use this reference to check the latest assessment results and determine whether device are compliant. + +For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| MachineId | string | Unique identifier for the machine in the service | +| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.| +| Timestamp | datetime |Date and time when the record was generated| +| ConfigurationId | string | Unique identifier for a specific configuration | +| ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls| +| ConfigurationSubcategory | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | +| ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10) | +| IsCompliant | boolean | Indicates whether the configuration or policy is properly configured | + + +## Related topics + +- [Advanced hunting overview](overview-hunting.md) +- [All Advanced hunting tables](advanced-hunting-reference.md) +- [Advanced hunting query best practices](advanced-hunting-best-practices.md) +- [Query data using Advanced hunting](advanced-hunting.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md new file mode 100644 index 0000000000..857a5731c6 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md @@ -0,0 +1,53 @@ +--- +title: DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema +description: Learn about the DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema, security configuration details, and the associated industry benchmarks that it adheres to. +keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query security configuration, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, MITRE ATT&CK framework, DeviceTvmSecureConfigurationAssessmentKB +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 10/27/2019 +--- + +# DeviceTvmSecureConfigurationAssessmentKB + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +[!include[Prerelease information](prerelease.md)] + +The DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema contains information about the various secure configuration TVM checks during assessments related to your organization. An example of a security configuration is to block JavaScript or VBScript from launching downloaded executable content to prevent accidentally downloading malicious files in your network. Use this reference to construct queries that return information from the table. + +For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| ConfigurationId | string | Unique identifier for a specific configuration | +| ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10) | +| ConfigurationName | string | Display name of the configuration | +| ConfigurationDescription | string | Description of the configuration | +| RiskDescription | string | Description of the associated risk | +| ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls| +| ConfigurationSubcategory | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | +| ConfigurationBenchmarks | string | List of industry benchmarks recommending the same or similar configuration | +| RelatedMitreTechniques | string | List of Mitre ATT&CK framework techniques related to the configuration | +| RelatedMitreTactics | string | List of Mitre ATT&CK framework tactics related to the configuration| + +## Related topics + +- [Advanced hunting overview](overview-hunting.md) +- [All Advanced hunting tables](advanced-hunting-reference.md) +- [Advanced hunting query best practices](advanced-hunting-best-practices.md) +- [Query data using Advanced hunting](advanced-hunting.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md new file mode 100644 index 0000000000..fcf0c2e4bd --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md @@ -0,0 +1,56 @@ +--- +title: DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema +description: Learn about the DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema, such as operating system platform, version, and architecture, software vendor, name, and version, CVE ID, vulnerability severity, and descriptions +keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query software inventory, query software vulnerability inventory, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, DeviceTvmSoftwareInventoryVulnerabilities +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 10/27/2019 +--- + +# DeviceTvmSoftwareInventoryVulnerabilities + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + + +[!include[Prerelease information](prerelease.md)] + +The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains an inventory of the software on your devices as well as any known vulnerabilities in the software products. Use this reference to construct queries that return information from the table. + +For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| MachineId | string | Unique identifier for the machine in the service | +| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.| +| OSVersion | string | Version of the operating system running on the machine | +| OSArchitecture | string | Architecture of the operating system running on the machine| +| SoftwareVendor | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape| +| SoftwareName | string | Name of the software product| +|SoftwareVersion | string | Version number of the software product| +| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system| +| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape| + + + +## Related topics + +- [Advanced hunting overview](overview-hunting.md) +- [All Advanced hunting tables](advanced-hunting-reference.md) +- [Advanced hunting query best practices](advanced-hunting-best-practices.md) +- [Query data using Advanced hunting](advanced-hunting.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md new file mode 100644 index 0000000000..757ad9858c --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md @@ -0,0 +1,51 @@ +--- +title: DeviceTvmSoftwareVulnerabilitiesKB table in the Advanced hunting schema +description: Learn about the DeviceTvmSoftwareVulnerabilitiesKB table in the Advanced hunting schema, such as CVE ID, CVSS score, exploit availability, vulnerability severity, last modified time, date the vulnerability was disclosed to public, and affected software in your network. +keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query software vulnerability inventory, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, DeviceTvmSoftwareVulnerabilitiesKB +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 10/27/2019 +--- + +# DeviceTvmSoftwareVulnerabilitiesKB + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +[!include[Prerelease information](prerelease.md)] + +The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains information about the vulnerabilities Threat & Vulnerability Management assesses devices for. Use this reference along with DeviceTvmSoftwareInventoryVulnerabilities to construct queries that return information on the metadata related to the vulnerabilities in your inventory. + +For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system| +| CvssScore | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS)| +| IsExploitAvailable | boolean | Indicates whether exploit code for the vulnerability is publicly available| +| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape| +| LastModifiedTime | datetime | Date and time the item or related metadata was last modified| +| PublishedDate | datetime | Date vulnerability was disclosed to public| +| VulnerabilityDescription | string | Description of vulnerability and associated risks| +| AffectedSoftware | string | List of all software products affected by the vulnerability| + +## Related topics + +- [Advanced hunting overview](overview-hunting.md) +- [All Advanced hunting tables](advanced-hunting-reference.md) +- [Advanced hunting query best practices](advanced-hunting-best-practices.md) +- [Query data using Advanced hunting](advanced-hunting.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md index 4eafbbefa8..6a076bfb65 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md @@ -60,7 +60,7 @@ See how you can [improve your security configuration](https://docs.microsoft.com >- RS3 customers | [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071) > >To download the security updates: ->1. Go to [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/home.aspx). +>1. Go to [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/home.aspx). >2. Key-in the security update KB number that you need to download, then click **Search**. ## Related topics @@ -68,7 +68,7 @@ See how you can [improve your security configuration](https://docs.microsoft.com - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation](tvm-remediation.md) +- [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md index d0dfe6add3..2373d0cf56 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md @@ -33,10 +33,10 @@ The topics in this section describe how to configure attack surface reduction. E Topic | Description -|- -[Enable hardware-based isolation for Microsoft Edge](../windows-defender-application-guard/install-wd-app-guard.md) | How to preprare for and install Application Guard, including hardware and softeware requirements -[Enable application control](../windows-defender-application-control/windows-defender-application-control.md)|How to control applications run by users and potect kernel mode processes +[Enable hardware-based isolation for Microsoft Edge](../windows-defender-application-guard/install-wd-app-guard.md) | How to prepare for and install Application Guard, including hardware and software requirements +[Enable application control](../windows-defender-application-control/windows-defender-application-control.md)|How to control applications run by users and protect kernel mode processes [Exploit protection](./enable-exploit-protection.md)|How to automatically apply exploit mitigation techniques on both operating system processes and on individual apps -[Network protection](./enable-network-protection.md)|How to prevent users from using any apps to acces dangerous domains +[Network protection](./enable-network-protection.md)|How to prevent users from using any apps to access dangerous domains [Controlled folder access](./enable-controlled-folders.md)|How to protect valuable data from malicious apps -[Attack surface reduction](./enable-attack-surface-reduction.md)|How to prevent actions and apps that are typically used for by exploit-seeking malware +[Attack surface reduction](./enable-attack-surface-reduction.md)|How to prevent actions and apps that are typically used by exploit-seeking malware [Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)|How to protect devices and data across a network diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index 01c3049bde..6140a832e2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -24,7 +24,10 @@ ms.topic: article - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ## Before you begin -Ensure that you have Microsoft Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up. +Ensure that you have Microsoft Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up. + +>[!NOTE] +>Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive targeted attack notifications and to collaborate with experts on demand. A Microsoft Threat Experts subscription is a prerequisite for experts on demand collaboration. ## Register to Microsoft Threat Experts managed threat hunting service If you're already a Microsoft Defender ATP customer, you can apply through the Microsoft Defender ATP portal. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index 8c0c0aa43c..95e0136a97 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -141,7 +141,7 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover 1. Download the [connectivity verification tool](https://aka.ms/mdatpanalyzer) to the PC where Microsoft Defender ATP sensor is running on. -2. Extract the contents of WDATPConnectivityAnalyzer on the machine. +2. Extract the contents of MDATPClientAnalyzer on the machine. 3. Open an elevated command-line: @@ -152,19 +152,19 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover 4. Enter the following command and press **Enter**: ```PowerShell - HardDrivePath\WDATPConnectivityAnalyzer.cmd + HardDrivePath\MDATPClientAnalyzer.cmd ``` - Replace *HardDrivePath* with the path where the WDATPConnectivityAnalyzer tool was downloaded to, for example + Replace *HardDrivePath* with the path where the MDATPClientAnalyzer tool was downloaded to, for example ```PowerShell - C:\Work\tools\WDATPConnectivityAnalyzer\WDATPConnectivityAnalyzer.cmd + C:\Work\tools\MDATPClientAnalyzer\MDATPClientAnalyzer.cmd ``` -5. Extract the *WDATPConnectivityAnalyzerResult.zip* file created by tool in the folder used in the *HardDrivePath*. +5. Extract the *MDATPClientAnalyzerResult.zip* file created by tool in the folder used in the *HardDrivePath*. -6. Open *WDATPConnectivityAnalyzer.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.

    - The tool checks the connectivity of Microsoft Defender ATP service URLs that Microsoft Defender ATP client is configured to interact with. It then prints the results into the *WDATPConnectivityAnalyzer.txt* file for each URL that can potentially be used to communicate with the Microsoft Defender ATP services. For example: +6. Open *MDATPClientAnalyzerResult.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.

    + The tool checks the connectivity of Microsoft Defender ATP service URLs that Microsoft Defender ATP client is configured to interact with. It then prints the results into the *MDATPClientAnalyzerResult.txt* file for each URL that can potentially be used to communicate with the Microsoft Defender ATP services. For example: ```text Testing URL : https://xxx.microsoft.com/xxx diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancellation.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancellation.png new file mode 100644 index 0000000000..27b00fdd87 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancellation.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-confirmation.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-confirmation.png new file mode 100644 index 0000000000..d0eb92e377 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-confirmation.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dashboard.png new file mode 100644 index 0000000000..3f8ead879c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dashboard.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-details.png new file mode 100644 index 0000000000..9acba5c77f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-details.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dropdown.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dropdown.png new file mode 100644 index 0000000000..31d16836b0 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dropdown.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-filters.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-filters.png new file mode 100644 index 0000000000..6cafba6c3d Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-filters.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-flyout.png new file mode 100644 index 0000000000..e01d9f53a5 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-flyout.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-impact.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-impact.png new file mode 100644 index 0000000000..072835588a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-impact.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-list.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-list.png new file mode 100644 index 0000000000..dbd99451af Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-list.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-option.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-option.png new file mode 100644 index 0000000000..98d59f5c07 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-option.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-granular-exploit.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-granular-exploit.png new file mode 100644 index 0000000000..00d29b4a0c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-granular-exploit.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-threat-insights.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-threat-insights.png index a40e39c3d0..2f9717883f 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-threat-insights.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-threat-insights.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-page.png new file mode 100644 index 0000000000..36ca63f7bf Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_alert_icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_alert_icon.png index ebd390bd98..863c7e4fbe 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_alert_icon.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_alert_icon.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_bug_icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_bug_icon.png index b87ba02a90..e81d73f631 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_bug_icon.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_bug_icon.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md index fc60334993..ed62718fa4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md @@ -23,7 +23,6 @@ ms.topic: article **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](prerelease.md)] >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) @@ -107,9 +106,8 @@ When you add an indicator hash for a file, you can choose to raise an alert and Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be visible in the Alerts queue. - ## Create indicators for IPs and URLs/domains (preview) -Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs through Windows Defender SmartScreen for Microsoft browsers and Network Protection for non-Microsoft browsers and calls made outside the browser. +Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs, through Windows Defender SmartScreen for Microsoft browsers, and through Network Protection for non-Microsoft browsers or calls made outside of a browser. The threat intelligence data set for this has been managed by Microsoft. diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md index e17508a0f9..358b596f33 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md @@ -25,6 +25,9 @@ ms.topic: conceptual Microsoft Threat Experts is a managed detection and response (MDR) service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don’t get missed. This new capability provides expert-driven insights and data through targeted attack notification and access to experts on demand. + +>[!NOTE] +>Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive targeted attack notifications and to collaborate with experts on demand. A Microsoft Threat Experts subscription is a prerequisite for experts on demand collaboration. See [Configure Microsoft Threat Experts capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#before-you-begin) for details. ## Targeted attack notification Microsoft Threat Experts provides proactive hunting for the most important threats to your network, including human adversary intrusions, hands-on-keyboard attacks, or advanced attacks like cyberespionage. The managed hunting service includes: diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index 57782a8e2b..e9723fa61e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -37,7 +37,7 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr - Windows 10 Enterprise E5 - Windows 10 Education E5 - Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5 -- Microsoft 365 E3 (M365 E3) with Identity and Threat Protection package + For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare). diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md index 3a670e00a5..eecae45f38 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md +++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md @@ -62,7 +62,7 @@ Microsoft Defender ATP’s Threat & Vulnerability Management allows security adm - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation](tvm-remediation.md) +- [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md index ce93c62494..c9129e6196 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md @@ -42,11 +42,15 @@ Turn on the preview experience setting to be among the first to try upcoming fea ## Preview features The following features are included in the preview release: -- [Indicators for IP addresses, URLs/Domains](manage-indicators.md)
    You can now allow or block URLs/domains using your own threat intelligence. - - [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac)
    Microsoft Defender ATP for Mac brings the next-generation protection, and endpoint detection and response coverage to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices. -- [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy)
    You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy). +- [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy)
    You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy). + +- [Threat & Vulnerability Management Advanced Hunting Schemas](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table)
    You can now use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase. + + - [Threat & Vulnerability Management role-based access controls](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
    You can now use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions. + +- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
    You can now see a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories. - [Machine health and compliance report](machine-reports.md) The machine health and compliance report provides high-level information about the devices in your organization. diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index f7512247e0..df00947476 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -143,12 +143,40 @@ When an exception is created for a recommendation, the recommendation is no long 2. Click the top-most recommendation. A flyout panel opens with the recommendation details. 3. Click **Exception options**. +![Screenshot of the exception option in the remediation flyout pane](images/tvm-exception-option.png) 4. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration. +> ![Screenshot of exception flyout page which details justification and context](images/tvm-exception-flyout.png) + 5. Click **Submit**. A confirmation message at the top of the page indicates that the exception has been created. +![Screenshot of exception confirmation message](images/tvm-exception-confirmation.png) 6. Navigate to the **Remediation** page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past). +![Screenshot of exception list of exceptions in the Remediation page](images/tvm-exception-list.png) + +## Use Advanced hunting query to search for machines with High active alerts or critical CVE public exploit + +1. Go to **Advanced hunting** from the left-hand navigation pane. + +2. Scroll down to the TVM advanced hunting schemas to familiarize yourself with the column names. + +3. Enter the following queries: + +``` +// Search for machines with High active alerts or Critical CVE public exploit +DeviceTvmSoftwareInventoryVulnerabilities +| join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId +| where IsExploitAvailable == 1 and CvssScore >= 7 +| summarize NumOfVulnerabilities=dcount(CveId), +ComputerName=any(ComputerName) by MachineId +| join kind =inner(AlertEvents) on MachineId +| summarize NumOfVulnerabilities=any(NumOfVulnerabilities), +ComputerName=any(ComputerName) by MachineId, AlertId +| project ComputerName, NumOfVulnerabilities, AlertId +| order by NumOfVulnerabilities desc + +``` ## Related topics - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) @@ -156,6 +184,8 @@ When an exception is created for a recommendation, the recommendation is no long - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation](tvm-remediation.md) +- [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) +- [Advanced hunting overview](overview-hunting.md) +- [All Advanced hunting tables](advanced-hunting-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md index 1704845ac8..668b2a1cb4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md @@ -53,7 +53,7 @@ Area | Description (2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, **Software inventory**, and **Weaknesses**. **Dashboards** | Get a high-level view of the organization exposure score, organization configuration score, machine exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed machines data. **Security recommendations** | See the list of security recommendations, their related components, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list, a flyout panel opens with vulnerability details, open the software page, see the remediation, and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. See [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) for more information. -**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. See [Remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation) for more information. +**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. See [Remediation and exception](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation) for more information. **Software inventory** | See the list of applications, versions, weaknesses, whether there’s an exploit found on the application, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates. See [Software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory) for more information. **Weaknesses** | See the list of common vulnerabilities and exposures, the severity, its common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed machines are there. You can select each item in the list and it opens a flyout panel with the vulnerability description and other details. See [Weaknesses](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) for more information. (3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, and **Top exposed machines**. @@ -73,7 +73,7 @@ See [Microsoft Defender ATP icons](https://docs.microsoft.com/windows/security/t - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation](tvm-remediation.md) +- [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md index 8eebb66298..fca24b4b1f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md @@ -42,7 +42,7 @@ Reduce the exposure score by addressing what needs to be remediated based on the - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) - [Configuration score](configuration-score.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation](tvm-remediation.md) +- [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md index 674d4b0309..99b1ae6759 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md @@ -1,6 +1,6 @@ --- -title: Remediation -description: You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations. Threat & Vulnerability Management bridges the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM). +title: Remediation and exception +description: You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations or filing exceptions provided there are compensation controls. Threat & Vulnerability Management bridges the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM). keywords: microsoft defender atp tvm remediation, mdatp tvm, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/11/2019 --- -# Remediation +# Remediation and exception **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -47,11 +47,62 @@ When you submit a remediation request from Threat & Vulnerability Management, it It creates a security task which will be tracked in Threat & Vulnerability Management **Remediation** page, and it also creates a remediation ticket in Microsoft Intune. -You also have the option to export all remediation activity data to CSV for records, reporting purposes, or if you want to notify your IT administration counterpart that a remediation ticket has been submitted. The dashboard will show that status of your top remediation activities. Click any of the entries and it will take you to the **Remediation** page. You can mark the remediation activity as completed after the IT administration team remediates the task. -However, if the security recommendation stemmed from a false positive report, or if there are existing business justification that blocks the remediation, such as compensating control, productivity needs, compliance, or if there's already a planned remediation grace period, you can file an exception and indicate the reason. The exceptions you've filed will also show up in the **Remediation** page, in the **Exceptions** tab. +## When to file for exception instead of remediating issues +You can file exceptions to exclude certain recommendation from showing up in reports and affecting risk scores or secure scores. + +When you select a security recommendation, it opens up a flyout screen with details and options for your next step. You can either **Open software page**, choose from **Remediation options**, go through **Exception options** to file for exceptions, or **Report inaccuracy**. + +Select **Exception options** and a flyout screen opens. + +![Screenshot of exception flyout screen](images/tvm-exception-flyout.png) + +### Exception justification +If the security recommendation stemmed from a false positive report, or if there are existing business justification that blocks the remediation, such as compensating control, productivity needs, compliance, or if there's already a planned remediation grace period, you can file an exception and indicate the reason. The following list details the justifications behind the exception options: + +- **Compensating/alternate control** - A 3rd party control that mitigates this recommendation exists, for example, if Network Firewall - - prevents access to a machine, third party antivirus +- **Productivity/business need** - Remediation will impact productivity or interrupt business-critical workflow +- **Accept risk** - Poses low risk and/or implementing a compensating control is too expensive +- **Planned remediation (grace)** - Already planned but is awaiting execution or authorization +- **Other** - False positive + + + ![Screenshot of exception reason dropdown menu](images/tvm-exception-dropdown.png) + +### Exception visibility +The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab. +However, you also have the option to filter your view based on exception justification, type, and status. + +![Screenshot of exception tab and filters](images/tvm-exception-filters.png) + +Aside from that, there's also an option to **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard. + +![Screenshot of Show exceptions link in the Top security recommendations card in the dashboard](images/tvm-exception-dashboard.png) + +Clicking the link opens up to the **Security recommendations** page, where you can select the item exempted item with details. + +![Screenshot of exception details in the Security recommendation page](images/tvm-exception-details.png) + +### Actions on exceptions +- Cancel - You can cancel the exceptions you've filed any time +- Resurface - Your exception automatically becomes void and resurfaces in the security recommendation list when dynamic environmental factors change, which adversely affect the exposure impact associated with a recommendation that had previously been excluded + +### Exception status +- **Canceled** - The exception has been canceled and is no longer in effect +- **Expired** - The exception that you've filed is no longer in effect +- **In effect** - The exception that you've filed is in progress + +### Exception impact on scores +Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Secure Score (for configurations) of your organization in the following manner: +- **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores +- **Mitigation-like impact** - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control. +- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Secure Score results out of the exception option that you made + +The exception impact shows on both the Security recommendations page column and in the flyout pane. + +![Screenshot of where to find the exception impact](images/tvm-exception-impact.png) ## Related topics - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index cb1913abcb..ee75d061da 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -79,14 +79,12 @@ You can report a false positive when you see any vague, inaccurate, incomplete, 6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context. - - ## Related topics - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) -- [Remediation](tvm-remediation.md) +- [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md index a7ff6812ce..e1d39cdf5d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md @@ -63,6 +63,6 @@ You can report a false positive when you see any vague, inaccurate version, inco - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) - [Security recommendation](tvm-security-recommendation.md) -- [Remediation](tvm-remediation.md) +- [Remediation and exception](tvm-remediation.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md index e2615c2319..7eefec6595 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md @@ -15,25 +15,32 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/11/2019 +ms.date: 10/31/2019 --- # Weaknesses **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559 + +[!include[Prerelease information](prerelease.md)] Threat & Vulnerability Management leverages the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities. The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, corresponding breach, and threat insights. >[!IMPORTANT] ->To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network: +>To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and deploy them in your network: >- 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) >- RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077) >- RS4 customers | [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045) >- RS3 customers | [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071) +>

    Downloading the above-mentioned security updates will be mandatory starting Patch Tuesday, October 8, 2019. ## Navigate through your organization's weaknesses page -You can see the list of vulnerabilities in four ways: +You can access the list of vulnerabilities in a few places in the portal: +- Global search +- Weaknesses option in the navigation menu +- Top vulnerable software widget in the dashboard +- Discovered vulnerabilities page in the machine page *Vulnerabilities in global search* 1. Click the global search drop-down menu. @@ -46,12 +53,13 @@ You can see the list of vulnerabilities in four ways: *Weaknesses page in the menu* 1. Go to the Threat & Vulnerability Management navigation menu and select **Weaknesses** to open up the list of vulnerabilities found in your organization. -2. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates. +2. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, dates when it was published and updated, related software, exploit kits available, vulnerability type, link to useful reference, and number of exposed machines which users can also export. +![Screenshot of the CVE details in the flyout pane in the Weaknesses page](images/tvm-weaknesses-page.png) *Top vulnerable software widget in the dashboard* 1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time. ![tvm-top-vulnerable-software](images/tvm-top-vulnerable-software.png) -2. Click the software that you want to investigate and it takes you to the software page. You will the weaknesses found in your machine per severity level, in which machines are they installed, version distribution, and the corresponding security recommendation. +2. Click the software that you want to investigate and it takes you to the software page. You will see the weaknesses found in your machine per severity level, in which machines are they installed, version distribution, and the corresponding security recommendation. 3. Select the **Discovered vulnerabilities** tab. 4. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates. @@ -68,22 +76,25 @@ You can see the list of vulnerabilities in four ways: 5. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates. ## How it works -When new vulnerabilities are released, you would want know how many of your assets are exposed. You can see the list of vulnerabilities and the details in the **Weaknesses** page. +When new vulnerabilities are released, you would want to know how many of your assets are exposed. You can see the list of vulnerabilities and the details in the **Weaknesses** page. -If the **Exposed Machines** column shows 0, that means you are not infected. +If the **Exposed Machines** column shows 0, that means you are not at risk. -If there's a number in the **Exposed Machines**, that means you need to remediate the vulnerabilities in those machines because they put the rest of your assets and your organization at risk. +If exposed machines exist, that means you need to remediate the vulnerabilities in those machines because they put the rest of your assets and your organization at risk. You can also see the related alert and threat insights in the **Threat** column. -The breach insights icons are highlighted if there are active alerts associated with the vulnerability found in your organization. +The breach insights icon is highlighted if there is a vulnerability found in your organization. Prioritize an investigation because it means there might be a breach in your organization. + ![tvm-breach-insights](images/tvm-breach-insights.png) -The threat insights icons are highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is connected to specific campaign for which, Threat Analytics report links are provided that you can read. +The threat insights icons are highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has zero-day exploitation news, disclosures, or related security advisories. + ![tvm-threat-insights](images/tvm-threat-insights.png) + >[!NOTE] - > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight ![threat insight](images/tvm_bug_icon.png) icon and possible active alert ![possible active alert](images/tvm_alert_icon.png) icon. + > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight ![threat insight](images/tvm_bug_icon.png) icon and breach insight ![possible active alert](images/tvm_alert_icon.png) icon. ## Report inaccuracy @@ -115,6 +126,6 @@ You can report a false positive when you see any vague, inaccurate, missing, or - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) - [Security recommendation](tvm-security-recommendation.md) -- [Remediation](tvm-remediation.md) +- [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md index 8d498f43b4..e3afd90910 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md +++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md @@ -19,12 +19,12 @@ ms.topic: article # Create and manage roles for role-based access control **Applies to:** - - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-roles-abovefoldlink) +[!include[Prerelease information](prerelease.md)] + ## Create roles and assign the role to an Azure Active Directory group The following steps guide you on how to create roles in Microsoft Defender Security Center. It assumes that you have already created Azure Active Directory user groups. @@ -37,25 +37,31 @@ The following steps guide you on how to create roles in Microsoft Defender Secur - **Role name** - **Description** - **Permissions** - - **View data** - Users can view information in the portal. - - **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline. - - **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions. - - **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups. + - **View data** - Users can view information in the portal. + >[!NOTE] + >To view Threat & Vulnerability Management data, select **Threat and vulnerability management**. + + - **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline. + - **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions. + >[!NOTE] + >To enable your Security operation personnel to choose remediation options and file exceptions, select **Threat and vulnerability management - Remediation handling**, and **Threat and vulnerability management - Exception handling**. + + - **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups. > [!NOTE] > This setting is only available in the Microsoft Defender ATP administrator (default) role. - - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications. + - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications. - - **Live response capabilities** - Users can take basic or advanced live response commands. - - Basic commands allow users to: - - Start a live response session - - Run read only live response commands on a remote machine - - Advanced commands allow users to: - - Run basic actions - - Download a file from the remote machine - - View a script from the files library - - Run a script on the remote machine from the files library take read and write commands. + - **Live response capabilities** - Users can take basic or advanced live response commands. + - Basic commands allow users to: + - Start a live response session + - Run read only live response commands on a remote machine + - Advanced commands allow users to: + - Run basic actions + - Download a file from the remote machine + - View a script from the files library + - Run a script on the remote machine from the files library take read and write commands. For more information on the available commands, see [Investigate machines using Live response](live-response.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md index 0673d31c32..da6e550794 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md @@ -1,7 +1,7 @@ --- title: Monitoring web browsing security in Microsoft Defender ATP description: Use web protection in Microsoft Defender ATP to monitor web browsing security -keywords: web protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser +keywords: web protection, web threat protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -22,9 +22,7 @@ ms.date: 08/30/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1) -[!include[Prerelease information](prerelease.md)] - -Web protection lets you monitor your organization’s web browsing security through reports under **Reports > Web protection** in the Microsoft Defender Security Center. The report contains the following cards that provide web threat detection statistics: +Web protection lets you monitor your organization’s web browsing security through reports under **Reports > Web protection** in the Microsoft Defender Security Center. The report contains cards that provide web threat detection statistics. - **Web threat protection detections over time** — this trending card displays the number of web threats detected by type during the selected time period (Last 30 days, Last 3 months, Last 6 months) @@ -44,7 +42,7 @@ Web protection categorizes malicious and unwanted websites as: - **Custom indicator** — websites whose URLs or domains you've added to your [custom indicator list](manage-indicators.md) for blocking ## View the domain list -Clicking on a specific web threat category in the **Web threat protection summary** card opens the **Domains** page, which shows a list of the domains prefiltered under that threat category. The page provides the following information for each domain: +Select a specific web threat category in the **Web threat protection summary** card to open the **Domains** page and display the list of the domains under that threat category. The page provides the following information for each domain: - **Access count** — number of requests for URLs in the domain - **Blocks** — number of times requests were blocked @@ -52,7 +50,7 @@ Clicking on a specific web threat category in the **Web threat protection summar - **Threat category** — type of web threat - **Machines** — number of machines with access attempts -Selecting a domain opens a panel that shows the list of URLs in that domain that have been accessed. The panel also lists machines that have attempted to access URLs in the domain. +Select a domain to view the list of machines that have attempted to access URLs in that domain as well as the list of URLs. ## Related topics - [Web protection overview](web-protection-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md index 714ddb9915..37f62a101c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md @@ -1,7 +1,7 @@ --- title: Overview of web protection in Microsoft Defender ATP description: Learn about web protection in Microsoft Defender ATP and how it can protect your organization -keywords: web protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser +keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -22,18 +22,16 @@ ms.date: 08/30/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1) -[!include[Prerelease information](prerelease.md)] +Web protection in Microsoft Defender ATP uses [network protection](network-protection.md) to secure your machines against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web protection stops web threats without a web proxy and can protect machines while they are away or on premises. Web protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md). -Web protection in Microsoft Defender ATP leverages [network protection](network-protection.md) to secure your machines against web threats without relying on a web proxy, providing security for devices that are either away or on premises. By integrating with Microsoft Edge as well as popular third-party browsers like Chrome and Firefox, web protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md). +>[!Note] +>It can take up to an hour for machines to receive new customer indicators. With web protection, you also get: - Comprehensive visibility into web threats affecting your organization - Investigation capabilities over web-related threat activity through alerts and comprehensive profiles of URLs and the machines that access these URLs - A full set of security features that track general access trends to malicious and unwanted websites ->[!Note] ->It can take up to an hour for machines to receive new customer indicators. - ## Prerequisites Web protection uses network protection to provide web browsing security on Microsoft Edge and third-party web browsers. diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md index 1d2a797e10..e963f8f504 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md @@ -1,7 +1,7 @@ --- title: Respond to web threats in Microsoft Defender ATP description: Respond to alerts related to malicious and unwanted websites. Understand how web threat protection informs end users through their web browsers and Windows notifications -keywords: web protection, web browsing, alerts, response, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, notifications, end users, Windows notifications, blocking page, +keywords: web protection, web threat protection, web browsing, alerts, response, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, notifications, end users, Windows notifications, blocking page, search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -22,8 +22,6 @@ ms.date: 08/30/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1) -[!include[Prerelease information](prerelease.md)] - Web protection in Microsoft Defender ATP lets you efficiently investigate and respond to alerts related to malicious websites and websites in your custom indicator list. ## View web threat alerts @@ -62,10 +60,10 @@ You can also check the machine that attempted to access a blocked URL. Selecting With web protection in Microsoft Defender ATP, your end users will be prevented from visiting malicious or unwanted websites using Microsoft Edge or other browsers. Because blocking is performed by [network protection](network-protection.md), they will see a generic error from the web browser. They will also see a notification from Windows. ![Image of Microsoft Edge showing a 403 error and the Windows notification](images/wtp-browser-blocking-page.png) -*Web threat blocked by Microsoft Edge* +*Web threat blocked on Microsoft Edge* -![Image of Chrome showing a secure connection warning and the Windows notification](images/wtp-chrome-browser-blocking-page.png) -*Web threat blocked by the Chrome web browser* +![Image of Chrome web browser showing a secure connection warning and the Windows notification](images/wtp-chrome-browser-blocking-page.png) +*Web threat blocked on Chrome* ## Related topics - [Web protection overview](web-protection-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md index 158ff257d6..e58d48a928 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md @@ -30,6 +30,9 @@ For more information preview features, see [Preview features](https://docs.micro ## October 2019 +- [Indicators for IP addresses, URLs/Domains](manage-indicators.md)
    You can now allow or block URLs/domains using your own threat intelligence. + + - [Microsoft Threat Experts - Experts on Demand](microsoft-threat-experts.md)
    You now have the option to consult with Microsoft Threat Experts from several places in the portal to help you in the context of your investigation. - [Connected Azure AD applications](connected-applications.md)
    The Connected applications page provides information about the Azure AD applications connected to Microsoft Defender ATP in your organization. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index e73bbfe476..d600158473 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -46,7 +46,7 @@ See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints. -As a cloud service, it is required that computers have access to the internet and that the ATP machine learning services are reachable. The URL: "\*.blob.core.windows.net" should not be excluded from any kind of network inspection. The table below lists the services and their associated URLs. You should ensure there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL: "\*.blob.core.windows.net"). +As a cloud service, it is required that computers have access to the internet and that the ATP machine learning services are reachable. The URL: "\*.blob.core.windows.net" should not be excluded from any kind of network inspection. The table below lists the services and their associated URLs. You should ensure there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL: "\*.blob.core.windows.net"). Below mention URLs are using port 443 for communication. | **Service**| **Description** |**URL** | diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index 1fbf4b6b35..20f5db2632 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -11,6 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp +audience: ITPro ms.date: 10/02/2018 ms.reviewer: manager: dansimp @@ -21,76 +22,93 @@ manager: dansimp **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge) -The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network. +Potentially unwanted applications are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior. -These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have poor reputation. +For example: -Typical PUA behavior includes: +* **Advertising software:** Software that displays advertisements or promotions, including software that inserts advertisements to webpages. +* **Bundling software:** Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA. +* **Evasion software:** Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products. -- Various types of software bundling -- Ad injection into web browsers -- Driver and registry optimizers that detect issues, request payment to fix the errors, but remain on the endpoint and make no changes or optimizations (also known as "rogue antivirus" programs) +For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md). -These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications. - ->[!TIP] ->You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. +Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up. ## How it works -Windows Defender Antivirus blocks detected PUA files and attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantined. +### Microsoft Edge -When a PUA is detected on an endpoint, Windows Defender Antivirus presents a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as normal threat detections (prefaced with "PUA:"). +The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). -They will also appear in the usual [quarantine list in the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). +#### Enable PUA protection in Chromium-based Microsoft Edge -## View PUA events +Although potentially unwanted application protection in Microsoft Edge (Chromium-based) is off by default, it can easily be turned on from within the browser. -PUA events are reported in the Windows Event Viewer, but not in System Center Configuration Manager or Intune. +1. From the tool bar, select **Settings and more** > **Settings** +1. Select **Privacy and services** +1. Under the **Services** section, you can toggle **Potentially unwanted app blocking** on or off -You can turn on email notifications for PUA detections. +> [!TIP] +> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen demo pages. -See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID 1160. + -## Configure PUA protection +### Windows Defender Antivirus -You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, Group Policy, or PowerShell cmdlets. +The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network. -You can also use the PUA audit mode to detect PUA without blocking them. The detections will be captured in the Windows event log. +> [!NOTE] +> This feature is only available in Windows 10. -This feature is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. +Windows Defender Antivirus blocks detected PUA files, and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. -**Use Intune to configure PUA protection** +When a PUA is detected on an endpoint, Windows Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content. + +The notification will appear in the usual [quarantine list within the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). + +#### Configure PUA protection in Windows Defender Antivirus + +You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, Group Policy, or via PowerShell cmdlets. + +You can also use the PUA audit mode to detect PUAs without blocking them. The detections will be captured in the Windows event log. + +> [!TIP] +> You can visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. + +PUA audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. + +##### Use Intune to configure PUA protection See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. -**Use Configuration Manager to configure PUA protection:** +##### Use Configuration Manager to configure PUA protection -PUA protection is enabled by default in System Center Configuration Manager (current branch), including version 1606 and later. +PUA protection is enabled by default in the System Center Configuration Manager (current branch), starting with version 1606. See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring System Center Configuration Manager (current branch). For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA). > [!NOTE] -> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager. +> PUA events blocked by Windows Defender Antivirus are reported in the Windows Event Viewer and not in System Center Configuration Manager. -**Use Group Policy to configure PUA protection:** +##### Use Group Policy to configure PUA protection -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and select **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. 3. Expand the tree to **Windows components > Windows Defender Antivirus**. 4. Double-click **Configure protection for potentially unwanted applications**. -5. Click **Enabled** to enable PUA protection. +5. Select **Enabled** to enable PUA protection. -6. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Click **OK**. +6. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. -**Use PowerShell cmdlets to configure PUA protection:** +##### Use PowerShell cmdlets to configure PUA protection Use the following cmdlet: @@ -98,12 +116,24 @@ Use the following cmdlet: Set-MpPreference -PUAProtection ``` -Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled. +Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled. -Setting `AuditMode` will detect PUAs but will not block them. +Setting `AuditMode` will detect PUAs without blocking them. See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +#### View PUA events + +PUA events are reported in the Windows Event Viewer, but not in System Center Configuration Manager or in Intune. + +You can turn on email notifications to receive mail about PUA detections. + +See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID **1160**. + +#### Allow-listing apps + +Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Windows Defender Antivirus. + ## Related topics - [Next gen protection](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-36-rtp.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-36-rtp.png new file mode 100644 index 0000000000..dab113680f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-36-rtp.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-37-exclusions.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-37-exclusions.png new file mode 100644 index 0000000000..d33e01e247 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-37-exclusions.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-exclusions.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-exclusions.md new file mode 100644 index 0000000000..e186faf62f --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-exclusions.md @@ -0,0 +1,82 @@ +--- +title: Configure and validate exclusions for Microsoft Defender ATP for Mac +ms.reviewer: +description: Describes how to provide and validate exclusions for Microsoft Defender ATP for Mac. Exclusions can be set for files, folders, and processes. +keywords: microsoft, defender, atp, mac, exclusions, scans, antivirus +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Configure and validate exclusions for Microsoft Defender ATP for Mac + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) + +This article provides information on how to define exclusions that apply to on-demand scans, and real-time protection and monitoring. + +>[!IMPORTANT] +>The exclusions described in this article don't apply to other Microsoft Defender ATP for Mac capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. + +You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender ATP for Mac scans. + +Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Microsoft Defender ATP for Mac. + +>[!WARNING] +>Defining exclusions lowers the protection offered by Microsoft Defender ATP for Mac. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious. + +## Supported exclusion types + +The follow table shows the exclusion types supported by Microsoft Defender ATP for Mac. + +Exclusion | Definition | Examples +---|---|--- +File extension | All files with the extension, anywhere on the machine | .test +File | A specific file identified by the full path | /var/log/test.log +Folder | All files under the specified folder | /var/log/ +Process | A specific process (specified either by the full path or file name) and all files opened by it | /bin/cat
    cat + +## How to configure the list of exclusions + +### From the management console + +For more information on how to configure exclusions from JAMF, Intune, or another management console, see [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md). + +### From the user interface + +Open the Microsoft Defender ATP application and navigate to **Manage settings** > **Add or Remove Exclusion...**, as shown in the following screenshot: + +![Manage exclusions screenshot](images/mdatp-37-Exclusions.png) + +Select the type of exclusion that you wish to add and follow the prompts. + +## Validate exclusions lists with the EICAR test file + +You can validate that your exclusion lists are working by using `curl` to download a test file. + +In the following Bash snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the *.testing extension*, replace *test.txt* with *test.testing*. If you are testing a path, ensure that you run the command within that path. + +```bash +$ curl -o test.txt http://www.eicar.org/download/eicar.com.txt +``` + +If Microsoft Defender ATP for Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html). + +If you do not have internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command: + +```bash +echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > test.txt +``` + +You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md index bed05f108c..eac057b9fa 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -2,7 +2,7 @@ title: Installing Microsoft Defender ATP for Mac manually ms.reviewer: description: Describes how to install Microsoft Defender ATP for Mac manually, from the command line. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -70,7 +70,7 @@ To complete this process, you must have admin privileges on the machine. ![App install screenshot](images/MDATP_29_AppInstallLogin.png) > [!IMPORTANT] - > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. + > You will be prompted to allow a driver from Microsoft to be installed (either "System Extension Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. ![App install screenshot](images/MDATP_30_SystemExtension.png) @@ -80,66 +80,11 @@ To complete this process, you must have admin privileges on the machine. The installation proceeds. -> [!NOTE] -> If you don't select **Allow**, the installation will proceed after 5 minutes. Defender ATP will be loaded, but real-time protection will be disabled. +> [!CAUTION] +> If you don't select **Allow**, the installation will proceed after 5 minutes. Defender ATP will be loaded, but some features, such as real-time protection, will be disabled. See [Troubleshoot kernel extension issues](microsoft-defender-atp-mac-support-kext.md) for information on how to resolve this. > [!NOTE] -> macOS may request to reboot the machine upon the first installation of Microsoft Defender. Real-Time Protection will not be available until the machine is rebooted. - -### Fixing disabled Real-Time Protection - -If you did not enable Microsoft's driver during installation, then the application displays a banner prompting you to enable it: - - ![RTP disabled screenshot](images/MDATP_32_Main_App_Fix.png) - -You can also run ```mdatp --health```. It reports if Real-Time Protection is enabled but not available: - -```bash -$ mdatp --health -... -realTimeProtectionAvailable : false -realTimeProtectionEnabled : true -... -``` - -> [!NOTE] -> You have a 30 minute window to enable Real-Time Protection from the warning banner, immediately following installation. - -The warning banner contains a **Fix** button, which allows you to quickly enable Real-Time Protection, without having to open a command prompt. Select the **Fix** button. It prompts the **Security & Privacy** system window, where you have to **Allow** system software from developers "Microsoft Corporation". - -If you don't see a prompt, it means that 30 or more minutes have already passed, and Real-Time Protection has still not been enabled: - -![Security and privacy window after prompt expired screenshot](images/MDATP_33_SecurityPrivacySettings_NoPrompt.png) - -In this case, you need to perform the following steps to enable Real-Time Protection instead. - -1. In Terminal, attempt to install the driver. (The operation will fail) - ```bash - $ sudo kextutil /Library/Extensions/wdavkext.kext - Kext rejected due to system policy: { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" } - Kext rejected due to system policy: { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" } - Diagnostics for /Library/Extensions/wdavkext.kext: - ``` - -2. Open **System Preferences...** > **Security & Privacy** from the menu. (Close it first, if it's opened.) - -3. **Allow** system software from developers "Microsoft Corporation" - -4. In Terminal, install the driver again. This time the operation will succeed: - -```bash -$ sudo kextutil /Library/Extensions/wdavkext.kext -``` - -The banner should disappear from the Defender application, and ```mdatp --health``` should now report that Real-Time Protection is both enabled and available: - -```bash -$ mdatp --health -... -realTimeProtectionAvailable : true -realTimeProtectionEnabled : true -... -``` +> macOS may request to reboot the machine upon the first installation of Microsoft Defender. Real-time protection will not be available until the machine is rebooted. ## Client configuration diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md index 84e9cb78dd..c72aafc900 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -2,7 +2,7 @@ title: Installing Microsoft Defender ATP for Mac with Microsoft Intune ms.reviewer: description: Describes how to install Microsoft Defender ATP for Mac, using Microsoft Intune. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -295,7 +295,7 @@ Once the Intune changes are propagated to the enrolled devices, you can see them 2. Select **App type=Other/Line-of-business app**. 3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. 4. Select **Configure** and add the required information. -5. Use **macOS Sierra 10.12** as the minimum OS and set *Ignore app version* to **Yes**. Other settings can be any arbitrary value. +5. Use **macOS High Sierra 10.13** as the minimum OS and set *Ignore app version* to **Yes**. Other settings can be any arbitrary value. > [!CAUTION] > Failure to set *Ignore app version* to **Yes** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-updates.md) for additional information about how the product is updated. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md index 99a5b6cc89..59a2dce0fd 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -2,7 +2,7 @@ title: Installing Microsoft Defender ATP for Mac with JAMF ms.reviewer: description: Describes how to install Microsoft Defender ATP for Mac, using JAMF. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md index 91a5f56395..b7a001aa8c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md @@ -1,7 +1,7 @@ --- title: Installing Microsoft Defender ATP for Mac with different MDM product description: Describes how to install Microsoft Defender ATP for Mac on other management solutions. -keywords: microsoft, defender, atp, mac, installation, deploy, macos, mojave, high sierra, sierra +keywords: microsoft, defender, atp, mac, installation, deploy, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md index 80ec6a0f67..b1e1ba3bff 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md @@ -2,7 +2,7 @@ title: Set preferences for Microsoft Defender ATP for Mac ms.reviewer: description: Describes how to configure Microsoft Defender ATP for Mac in enterprises. -keywords: microsoft, defender, atp, mac, management, preferences, enterprise, intune, jamf, macos, mojave, high sierra, sierra +keywords: microsoft, defender, atp, mac, management, preferences, enterprise, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index f37fa94b99..c187a7c270 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -2,7 +2,7 @@ title: Microsoft Defender ATP for Mac Resources ms.reviewer: description: Describes resources for Microsoft Defender ATP for Mac, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-support-kext.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-support-kext.md new file mode 100644 index 0000000000..223afa3ea4 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-support-kext.md @@ -0,0 +1,91 @@ +--- +title: Troubleshoot kernel extension issues in Microsoft Defender ATP for Mac +ms.reviewer: +description: Describes how to troubleshoot kernel extension-related issues in Microsoft Defender ATP for Mac. +keywords: microsoft, defender, atp, mac, kernel, extension +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Troubleshoot kernel extension issues + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) + +This topic provides information on how to troubleshoot issues with the kernel extension that is installed as part of Microsoft Defender ATP for Mac. + +Starting with macOS High Sierra (10.13), macOS requires all kernel extensions to be explicitly approved before they are allowed to run on the device. + +If you did not approve the kernel extension during the deployment / installation of Microsoft Defender ATP for Mac, then the application displays a banner prompting you to enable it: + + ![RTP disabled screenshot](images/MDATP_32_Main_App_Fix.png) + +You can also run ```mdatp --health```. It reports if real-time protection is enabled but not available. This is an indication that the kernel extension is not approved to run on your device. + +```bash +$ mdatp --health +... +realTimeProtectionAvailable : false +realTimeProtectionEnabled : true +... +``` + +The following sections provide guidance on how to address this issue, depending on the method that you used to deploy Microsoft Defender ATP for Mac. + +## Managed deployment + +See the instructions corresponding to the management tool that you used to deploy the product: + +- [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md#configuration-profile) +- [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md#create-system-configuration-profiles) + +## Manual deployment + +If less than 30 minutes have passed since the product was installed, navigate to **System Preferences** > **Security & Privacy**, where you have to **Allow** system software from developers "Microsoft Corporation". + +If you don't see this prompt, it means that 30 or more minutes have passed, and the kernel extension still not been approved to run on your device: + +![Security and privacy window after prompt expired screenshot](images/MDATP_33_SecurityPrivacySettings_NoPrompt.png) + +In this case, you need to perform the following steps to trigger the approval flow again. + +1. In Terminal, attempt to install the driver. The following operation will fail, because the kernel extension was not approved to run on the device, however it will trigger the approval flow again. + + ```bash + $ sudo kextutil /Library/Extensions/wdavkext.kext + Kext rejected due to system policy: { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" } + Kext rejected due to system policy: { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" } + Diagnostics for /Library/Extensions/wdavkext.kext: + ``` + +2. Open **System Preferences** > **Security & Privacy** from the menu. (Close it first, if it's opened.) + +3. **Allow** system software from developers "Microsoft Corporation" + +4. In Terminal, install the driver again. This time the operation will succeed: + +```bash +$ sudo kextutil /Library/Extensions/wdavkext.kext +``` + +The banner should disappear from the Defender application, and ```mdatp --health``` should now report that real-time protection is both enabled and available: + +```bash +$ mdatp --health +... +realTimeProtectionAvailable : true +realTimeProtectionEnabled : true +... +``` \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-support-perf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-support-perf.md new file mode 100644 index 0000000000..83be444fb5 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-support-perf.md @@ -0,0 +1,55 @@ +--- +title: Troubleshoot performance issues +ms.reviewer: +description: Describes how to troubleshoot performance issues in Microsoft Defender ATP for Mac. +keywords: microsoft, defender, atp, mac, performance +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Troubleshoot performance issues + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) + +This topic provides some general steps that can be used to narrow down performance issues related to Microsoft Defender ATP for Mac. + +Real-time protection (RTP) is a feature of Microsoft Defender ATP for Mac that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics. + +Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Microsoft Defender ATP for Mac. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender ATP for Mac. + +The following steps can be used to troubleshoot and mitigate these issues: + +1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Microsoft Defender ATP for Mac is contributing to the performance issues. + + If your device is not managed by your organization, real-time protection can be disabled using one of the following options: + + - From the user interface. Open Microsoft Defender ATP for Mac and navigate to **Manage settings**. + + ![Manage real-time protection screenshot](images/mdatp-36-RTP.png) + + - From the Terminal. For security purposes, this operation requires elevation. + + ```bash + $ mdatp --config realTimeProtectionEnabled false + ``` + + If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md). + +2. Open Finder and navigate to **Applications** > **Utilities**. Open **Activity Monitor** and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers. + +3. Configure Microsoft Defender ATP for Mac with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. + + See [Configure and validate exclusions for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-exclusions.md) for details. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-whatsnew.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-whatsnew.md index 7312d11a2d..16a195c6dd 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-whatsnew.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-whatsnew.md @@ -20,6 +20,10 @@ ms.topic: conceptual # What's new in Microsoft Defender Advanced Threat Protection for Mac +## 100.72.15 + +- Bug fixes + ## 100.70.99 - Addressed an issue that impacts the ability of some users to upgrade to macOS Catalina when real-time protection is enabled. This sporadic issue was caused by Microsoft Defender ATP locking files within Catalina upgrade package while scanning them for threats, which led to failures in the upgrade sequence. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index f87f5332c7..f7341c4283 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -1,8 +1,8 @@ --- title: Microsoft Defender ATP for Mac -ms.reviewer: +ms.reviewer: description: Describes how to install and use Microsoft Defender ATP for Mac. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -14,7 +14,7 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual --- @@ -43,8 +43,10 @@ If you have any feedback that you would like to share, submit it by opening Micr > [!CAUTION] > The three most recent major releases of macOS are supported. Beta versions of macOS are not supported. +> +> macOS Sierra (10.12) support will end on January 1, 2020. -- Supported macOS versions: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra) +- Supported macOS versions: 10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra) - Disk space: 650 MB After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints. diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md new file mode 100644 index 0000000000..268a9cf97b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md @@ -0,0 +1,232 @@ +--- +title: Allow LOB Win32 Apps on Intune-Managed S Mode Devices (Windows 10) +description: Using WDAC supplemental policies, you can expand the S mode base policy on your Intune-managed devices. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp +ms.date: 10/30/2019 +--- + +# Allow Line-of-Business Win32 Apps on Intune-Managed S Mode Devices + +**Applies to:** + +- Windows 10 + +Beginning in Windows 10 (build 18363), Microsoft Intune enables customers to deploy and run business critical Win32 applications as well as Windows components that are normally blocked in S mode (ex. PowerShell.exe) on their Intune-managed Windows 10 in S mode (S mode) devices. + +With Intune, IT Pros can now configure their managed S mode devices using a Windows Defender Application Control (WDAC) supplemental policy that expands the S mode base policy to authorize the apps their business uses. This feature changes the S mode security posture from “every app is Microsoft-verified" to “every app is verified by Microsoft or your organization”. + +# Policy Authorization Process +![Policy Authorization](images/wdac-intune-policy-authorization.png) +The general steps for expanding the S mode base policy on your devices are to generate a supplemental policy, sign that policy, and then upload the signed policy to Intune and assign it to user or device groups. +1. Generate a supplemental policy with WDAC tooling + + This policy will expand the S mode base policy to authorize additional applications. Anything authorized by either the S mode base policy or your supplemental policy will be allowed to run. Your supplemental policies can specify filepath rules, trusted publishers, and more. + + Refer to [Deploy multiple Windows Defender Application Control Policies](deploy-multiple-windows-defender-application-control-policies.md) for guidance on creating supplemental policies and [Deploy Windows Defender Application Control policy rules and file rules](select-types-of-rules-to-create.md) to choose the right type of rules to create for your policy. + + Below are a basic set of instructions for creating an S mode supplemental policy: + - Create a new base policy using [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) + + ```powershell + New-CIPolicy -MultiplePolicyFormat -ScanPath -UserPEs -FilePath "\SupplementalPolicy.xml" -Level Publisher -Fallback Hash + ``` + - Change it to a supplemental policy using [Set-CIPolicyIdInfo](https://docs.microsoft.com/powershell/module/configci/set-cipolicyidinfo?view=win10-ps) + + ```powershell + Set-CIPolicyIdInfo -SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784 -FilePath "\SupplementalPolicy.xml" + ``` + Policies which are supplementing the S mode base policy must use **-SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784**, as this is the S mode policy ID. + - Put the policy in enforce mode using [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption?view=win10-ps) + + ```powershell + Set-RuleOption -FilePath "\SupplementalPolicy.xml>" -Option 3 –Delete + ``` + This deletes the ‘audit mode’ qualifier. + - Convert to .bin using [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) + + ```powershell + ConvertFrom-CIPolicy -XmlFilePath "\SupplementalPolicy.xml" -BinaryFilePath "\SupplementalPolicy.bin> + ``` + +2. Sign policy + + Supplemental S mode policies must be digitally signed. To sign your policy, you can choose to use the Device Guard Signing Service or your organization's custom Public Key Infrastructure (PKI). Refer to [Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) for guidance on using DGSS and [Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) for guidance on signing using an internal CA. + + Once your policy is signed, you must authorize the signing certificate you used to sign the policy and optionally one or more additional signers that can be used to sign updates to the policy in the future. Use Add-SignerRule to add the signing certificate to the WDAC policy: + + ```powershell + Add-SignerRule -FilePath -CertificatePath -User -Update` + ``` + Rename your policy to "{PolicyID}.p7b" after you've signed it. PolicyID can be found by inspecting the Supplemental Policy XML + +3. Deploy the signed supplemental policy using Microsoft Intune + + Go to the Azure portal online and navigate to the Microsoft Intune page, then go to the Client apps blade and select 'S mode supplemental policies'. Upload the signed policy to Intune and assign it to user or device groups. Intune will generate tenant- and device- specific authorization tokens. Intune then deploys the corresponding authorization token and supplemental policy to each device in the assigned group. Together, these expand the S mode base policy on the device. + +> [!Note] +> When updating your supplemental policy, ensure that the new version number is strictly greater than the previous one. Using the same version number is not allowed by Intune. Refer to [Set-CIPolicyVersion](https://docs.microsoft.com/powershell/module/configci/set-cipolicyversion?view=win10-ps) for information on setting the version number. + +# Standard Process for Deploying Apps through Intune +![Deploying Apps through Intune](images/wdac-intune-app-deployment.png) +Refer to [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps-win32-app-management) for guidance on the existing procedure of packaging signed catalogs and app deployment. + +# Optional: Process for Deploying Apps using Catalogs +![Deploying Apps using Catalogs](images/wdac-intune-app-catalogs.png) +Your supplemental policy can be used to significantly relax the S mode base policy, but there are security trade-offs you must consider in doing so. For example, you can use a signer rule to trust an external signer, but that will authorize all apps signed by that certificate, which may include apps you don’t want to allow as well. + +Instead of authorizing signers external to your organization, Intune has added new functionality to make it easier to authorize existing applications (without requiring repackaging or access to the source code) through the use of signed catalogs. This works for apps which may be unsigned or even signed apps when you don’t want to trust all apps that may share the same signing certificate. + +The basic process is to generate a catalog file for each app using Package Inspector, then sign the catalog files using the DGSS or a custom PKI. After that, IT Pros can use the standard Intune app deployment process outlined above. Refer to [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md) for more in-depth guidance on generating catalogs. + +> [!Note] +> Every time an app updates, you will need to deploy an updated catalog. Because of this, IT Pros should try to avoid using catalog files for applications that auto-update and direct users not to update applications on their own. + +# Sample Policy +Below is a sample policy that allows kernel debuggers, PowerShell ISE, and Registry Editor. It also demonstrates how to specify your organization's code signing and policy signing certificates. +```xml + + + 10.0.0.0 + {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} + + {5951A96A-E0B5-4D3D-8FB8-3E5B61030784} + + {52671094-ACC6-43CF-AAF1-096DC69C1345} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + + + + Example Policy Name + + + + + Example-Policy-10.0.0.0 + + + + +``` +# Policy Removal +> [!Note] +> This feature currently has a known a policy deletion bug, with a fix expected in the 2D update in late February 2020. Devices of users who are unenrolled will still have their WDAC policies removed. In the mentime, IT Pros are recommended to update their policy with the below 'empty' policy which makes no changes to S mode. + +```xml + + + 10.0.0.1 + {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} + {5951A96A-E0B5-4D3D-8FB8-3E5B61030784} + {52671094-ACC6-43CF-AAF1-096DC69C1345} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + + + + Example Policy Name - Empty + + + + + Example-Policy-Empty-10.0.0.1 + + + + +``` diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index 196c8dc9a2..321aa58e14 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -36,6 +36,8 @@ #### [Signing WDAC policies with SignTool.exe](signing-policies-with-signtool.md) ### [Disable WDAC policies](disable-windows-defender-application-control-policies.md) ### [Device Guard and AppLocker](windows-defender-device-guard-and-applocker.md) +### [LOB Win32 Apps on S Mode](LOB-win32-apps-on-s.md) + ## [AppLocker](applocker\applocker-overview.md) ### [Administer AppLocker](applocker\administer-applocker.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index 6505f27774..d70793409e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -24,9 +24,6 @@ ms.date: 05/17/2019 - Windows 10 - Windows Server 2016 ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - The restriction of only having a single code integrity policy active on a system at any given time has felt limiting for customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1. Enforce and Audit Side-by-Side @@ -53,7 +50,7 @@ Note that multiple policies will not work on pre-1903 systems. In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) results in 1) random GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below is an example of creating a new policy in the multiple policy format. ```powershell -New-CIPolicy -MultiplePolicyFormat -ScanPath '.\temp\' -UserPEs -FilePath ".\policy.xml" -Level Publisher -Fallback Hash +New-CIPolicy -MultiplePolicyFormat -ScanPath "" -UserPEs -FilePath ".\policy.xml" -Level Publisher -Fallback Hash ``` Optionally, you can choose to make the new base policy supplementable (allow supplemental policies). @@ -70,19 +67,19 @@ Add-SignerRule -FilePath -CertificatePath [-Kernel] [-User] [- ### Supplemental Policy Creation -In order to create a supplemental policy, begin by creating a new policy in the Multiple Policy Format. From there, use Set-CIPolicyIdInfo to convert it to a supplemental policy and specify which base policy it expands. -- "SupplementsBasePolicyID": guid of new supplemental policy -- "BasePolicyToSupplementPath": base policy that the supplemental policy applies to +In order to create a supplemental policy, begin by creating a new policy in the Multiple Policy Format. From there, use Set-CIPolicyIdInfo to convert it to a supplemental policy and specify which base policy it expands. You can use either SupplementsBasePolicyID or BasePolicyToSupplementPath to specify the base policy. +- "SupplementsBasePolicyID": GUID of base policy that the supplemental policy applies to +- "BasePolicyToSupplementPath": path to base policy file that the supplemental policy applies to ```powershell Set-CIPolicyIdInfo [-FilePath] [-PolicyName ] [-SupplementsBasePolicyID ] [-BasePolicyToSupplementPath ] [-ResetPolicyID] [-PolicyId ] [] ``` -Note that "ResetPolicyId" reverts a supplemental policy to a base policy, and resets the policy guids back to a random guid. +Note that "ResetPolicyId" reverts a supplemental policy to a base policy, and resets the policy GUIDs back to a random GUID. ### Merging policies -When merging, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \, then regardless of what the GUIDS and types are for any subsequent policies, the merged policy will be a base policy with ID \. +When merging, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \, then regardless of what the GUIDs and types are for any subsequent policies, the merged policy will be a base policy with ID \. ### Deploying policies diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-app-catalogs.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-app-catalogs.png new file mode 100644 index 0000000000..754cf041ba Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-app-catalogs.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-app-deployment.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-app-deployment.png new file mode 100644 index 0000000000..91fc4f136b Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-app-deployment.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-policy-authorization.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-policy-authorization.png new file mode 100644 index 0000000000..d011fc4408 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-policy-authorization.png differ diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md index 990977f063..3f9f335b8f 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -56,7 +56,7 @@ These settings, located at **Computer Configuration\Administrative Templates\Win |Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

    Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:

    • Enable Application Guard to print into the XPS format.
    • Enable Application Guard to print into the PDF format.
    • Enable Application Guard to print to locally attached printers.
    • Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.
    **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| |Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.

    **Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | |Allow Persistence|Windows 10 Enterprise, 1709 or higher

    Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

    **Disabled or not configured.** All user data within Application Guard is reset between sessions.

    **Note**
    If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
    **To reset the container:**
    1. Open a command-line program and navigate to Windows/System32.
    2. Type `wdagtool.exe cleanup`.
      The container environment is reset, retaining only the employee-generated data.
    3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
      The container environment is reset, including discarding all employee-generated data.
    | -|Turn on Windows Defender Application Guard in Enterprise Mode|Windows 10 Enterprise, 1709 or higher|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.

    **Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.| +|Turn on Windows Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device. Available options:
    • Enable Windows Defender Application Guard only for Microsoft Edge;
    • Enable Windows Defender Application Guard only for Microsoft Office;
    • Enable Windows Defender Application Guard for both Microsoft Edge and Microsoft Office.
    **Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.| |Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.

    **Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.| |Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, 1803 or higher

    Windows 10 Pro, 1803 or higher|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.

      **Important**
      Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

    **Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| |Allow camera and microphone access in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher

    Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Windows Defender Application Guard.|**Enabled.** Applications inside Windows Defender Application Guard are able to access the camera and microphone on the user's device.

**Important**
Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

**Disabled or not configured.** Applications inside Windows Defender Application Guard are unable to access the camera and microphone on the user's device.| diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md index 1f20c39b88..e5d0cfcce1 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md @@ -7,24 +7,26 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: mjcaparas +ms.author: macapara +audience: ITPro ms.localizationpriority: medium ms.date: 07/27/2017 ms.reviewer: manager: dansimp -ms.author: macapara --- # Windows Defender SmartScreen + **Applies to:** - Windows 10 - Windows 10 Mobile -Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files. +Windows Defender SmartScreen protects against phishing or malware websites, and the downloading of potentially malicious files. **Windows Defender SmartScreen determines whether a site is potentially malicious by:** -- Analyzing visited webpages looking for indications of suspicious behavior. If it finds suspicious pages, Windows Defender SmartScreen shows a warning page, advising caution. +- Analyzing visited webpages looking for indications of suspicious behavior. If Windows Defender Smartscreen determines that a page is suspicious, it will show a warning page to advise caution. - Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, Windows Defender SmartScreen shows a warning to let the user know that the site might be malicious. @@ -35,10 +37,11 @@ Windows Defender SmartScreen helps to protect your employees if they try to visi - Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, Windows Defender SmartScreen shows a warning, advising caution. >[!NOTE] - >Before Windows 10, version 1703 this feature was called the SmartScreen filter when used within the browser and Windows SmartScreen when used outside of the browser. + >Before Windows 10, version 1703, this feature was called _the SmartScreen filter_ when used within the browser and _Windows SmartScreen_ when used outside of the browser. ## Benefits of Windows Defender SmartScreen -Windows Defender SmartScreen helps to provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are: + +Windows Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are: - **Anti-phishing and anti-malware support.** Windows Defender SmartScreen helps to protect your employees from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly-used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Windows Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97) @@ -50,9 +53,11 @@ Windows Defender SmartScreen helps to provide an early warning system against we - **Management through Group Policy and Microsoft Intune.** Windows Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md). -## Viewing Windows Defender SmartScreen anti-phishing events -When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx). +- **Blocking URLs associated with potentially unwanted applications.** In the next major version of Microsoft Edge (based on Chromium), SmartScreen will blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md). +## Viewing Windows Defender SmartScreen anti-phishing events + +When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx). ## Viewing Windows event logs for Windows Defender SmartScreen Windows Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Event Viewer. @@ -60,18 +65,15 @@ Windows Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/ > [!NOTE] > For information on how to use the Event Viewer, see [Windows Event Viewer](https://docs.microsoft.com/host-integration-server/core/windows-event-viewer1). -|EventID | Description | -| :---: | :---: | -|1000 | Application Windows Defender SmartScreen Event| -|1001 | Uri Windows Defender SmartScreen Event| -|1002 | User Decision Windows Defender SmartScreen Event| +EventID | Description +-|- +1000 | Application Windows Defender SmartScreen Event +1001 | Uri Windows Defender SmartScreen Event +1002 | User Decision Windows Defender SmartScreen Event ## Related topics - [Windows Defender SmartScreen Frequently Asked Questions (FAQ)](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx) +- [SmartScreen Frequently Asked Questions (FAQ)](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx) - [Threat protection](../index.md) - - [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings) - ->[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).