From 5fd6e5c58e492303bb084fa104b9b26cb4d7f0e0 Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Fri, 3 Sep 2021 14:27:13 +0530 Subject: [PATCH 01/11] Updated-Files1to20 --- .../auditing/advanced-security-audit-policy-settings.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md index b1b0dbf35b..85e0d38f53 100644 --- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md +++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md @@ -21,7 +21,8 @@ ms.technology: mde # Advanced security audit policy settings **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate. From 7df5a3510dc5b607e4538f56db7fe1737c4e269f Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Mon, 6 Sep 2021 13:39:34 +0530 Subject: [PATCH 02/11] Updated for 5358843-files-1to25 --- .../auditing/advanced-security-audit-policy-settings.md | 6 +----- .../auditing/advanced-security-auditing-faq.yml | 5 ++--- .../auditing/advanced-security-auditing.md | 5 +---- ...ity-monitoring-recommendations-for-many-audit-events.md | 6 +----- .../apply-a-basic-audit-policy-on-a-file-or-folder.md | 5 +---- .../threat-protection/auditing/audit-account-lockout.md | 7 +------ .../auditing/audit-application-generated.md | 6 +----- .../auditing/audit-application-group-management.md | 6 +----- .../auditing/audit-audit-policy-change.md | 6 +----- .../auditing/audit-authentication-policy-change.md | 7 +------ .../auditing/audit-authorization-policy-change.md | 7 +------ .../auditing/audit-central-access-policy-staging.md | 7 +------ .../auditing/audit-certification-services.md | 6 +----- .../auditing/audit-computer-account-management.md | 6 +----- .../auditing/audit-credential-validation.md | 6 +----- .../audit-detailed-directory-service-replication.md | 6 +----- .../auditing/audit-detailed-file-share.md | 6 +----- .../auditing/audit-directory-service-access.md | 6 +----- .../auditing/audit-directory-service-changes.md | 6 +----- .../auditing/audit-directory-service-replication.md | 6 +----- .../auditing/audit-distribution-group-management.md | 5 +---- .../threat-protection/auditing/audit-dpapi-activity.md | 6 +----- .../threat-protection/auditing/audit-file-share.md | 6 +----- .../threat-protection/auditing/audit-file-system.md | 5 +---- .../auditing/audit-filtering-platform-connection.md | 6 +----- .../auditing/audit-filtering-platform-packet-drop.md | 6 +----- 26 files changed, 27 insertions(+), 128 deletions(-) diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md index 85e0d38f53..f45d596295 100644 --- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md +++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md @@ -14,16 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Advanced security audit policy settings -**Applies to** -- Windows 10 -- Windows 11 - This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate. The security audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** can help your organization audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as: diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml index 61dfe3d07c..3e90a4fd67 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml @@ -15,13 +15,12 @@ metadata: audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual - ms.date: 04/19/2017 + ms.date: 09/06/2021 ms.technology: mde title: Advanced security auditing FAQ summary: | - **Applies to** - - Windows 10 + This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing.md b/windows/security/threat-protection/auditing/advanced-security-auditing.md index 691956d81c..2e9d3a84f1 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing.md +++ b/windows/security/threat-protection/auditing/advanced-security-auditing.md @@ -14,15 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/6/2021 ms.technology: mde --- # Advanced security audit policies -**Applies to** -- Windows 10 - Advanced security audit policy settings are found in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** and appear to overlap with basic security audit policies, but they are recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in, you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies can be controlled by using Group Policy. diff --git a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md index c892db7b11..d092d91f72 100644 --- a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md +++ b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # Appendix A: Security monitoring recommendations for many audit events -**Applies to** -- Windows 10 -- Windows Server 2016 - This document, the [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) reference, provides information about individual audit events, and lists them within audit categories and subcategories. However, there are many events for which the following overall recommendations apply. There are links throughout this document from the “Recommendations” sections of the relevant events to this appendix. diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 2d63b25eb8..331e40c490 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -14,15 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 07/25/2018 +ms.date: 09/06/2021 ms.technology: mde --- # Apply a basic audit policy on a file or folder -**Applies to** -- Windows 10 - You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log. To complete this procedure, you must be signed in as a member of the built-in Administrators group or have **Manage auditing and security log** rights. diff --git a/windows/security/threat-protection/auditing/audit-account-lockout.md b/windows/security/threat-protection/auditing/audit-account-lockout.md index 77f8126a98..4837398076 100644 --- a/windows/security/threat-protection/auditing/audit-account-lockout.md +++ b/windows/security/threat-protection/auditing/audit-account-lockout.md @@ -11,17 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 07/16/2018 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Account Lockout -**Applies to** -- Windows 10 -- Windows Server 2016 - - Audit Account Lockout enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out. If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. diff --git a/windows/security/threat-protection/auditing/audit-application-generated.md b/windows/security/threat-protection/auditing/audit-application-generated.md index 7e8adee87d..c2f603a680 100644 --- a/windows/security/threat-protection/auditing/audit-application-generated.md +++ b/windows/security/threat-protection/auditing/audit-application-generated.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Application Generated -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Application Generated generates events for actions related to Authorization Manager [applications](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770563(v=ws.11)). Audit Application Generated subcategory is out of scope of this document, because [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)) is very rarely in use and it is deprecated starting from Windows Server 2012. diff --git a/windows/security/threat-protection/auditing/audit-application-group-management.md b/windows/security/threat-protection/auditing/audit-application-group-management.md index 647f8e28b6..7fefa5c73c 100644 --- a/windows/security/threat-protection/auditing/audit-application-group-management.md +++ b/windows/security/threat-protection/auditing/audit-application-group-management.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Application Group Management -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Application Group Management generates events for actions related to [application groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771579(v=ws.11)), such as group creation, modification, addition or removal of group member and some other actions. [Application groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771579(v=ws.11)) are used by [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)). diff --git a/windows/security/threat-protection/auditing/audit-audit-policy-change.md b/windows/security/threat-protection/auditing/audit-audit-policy-change.md index 1ac2a40f94..3828ec83b4 100644 --- a/windows/security/threat-protection/auditing/audit-audit-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-audit-policy-change.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Audit Policy Change -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Audit Policy Change determines whether the operating system generates audit events when changes are made to audit policy. diff --git a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md index 8bf74ed78f..07e3af496b 100644 --- a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md @@ -11,17 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Authentication Policy Change -**Applies to** -- Windows 10 -- Windows Server 2016 - - Audit Authentication Policy Change determines whether the operating system generates audit events when changes are made to authentication policy. Changes made to authentication policy include: diff --git a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md index c00445582a..20750fbbe9 100644 --- a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md @@ -11,17 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Authorization Policy Change -**Applies to** -- Windows 10 -- Windows Server 2016 - - Audit Authorization Policy Change allows you to audit assignment and removal of user rights in user right policies, changes in security token object permission, resource attributes changes and Central Access Policy changes for file system objects. | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | diff --git a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md index d63d07634a..ed8737a5d1 100644 --- a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md +++ b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md @@ -11,17 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Central Access Policy Staging -**Applies to** -- Windows 10 -- Windows Server 2016 - - Audit Central Access Policy Staging allows you to audit access requests where a permission granted or denied by a proposed policy differs from the current central access policy on an object. If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event is generated as follows: diff --git a/windows/security/threat-protection/auditing/audit-certification-services.md b/windows/security/threat-protection/auditing/audit-certification-services.md index 82fe1eac16..655f1fbbbc 100644 --- a/windows/security/threat-protection/auditing/audit-certification-services.md +++ b/windows/security/threat-protection/auditing/audit-certification-services.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Certification Services -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Certification Services determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed. Examples of AD CS operations include: diff --git a/windows/security/threat-protection/auditing/audit-computer-account-management.md b/windows/security/threat-protection/auditing/audit-computer-account-management.md index 677244f857..1a3c91c1a9 100644 --- a/windows/security/threat-protection/auditing/audit-computer-account-management.md +++ b/windows/security/threat-protection/auditing/audit-computer-account-management.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Computer Account Management -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Computer Account Management determines whether the operating system generates audit events when a computer account is created, changed, or deleted. diff --git a/windows/security/threat-protection/auditing/audit-credential-validation.md b/windows/security/threat-protection/auditing/audit-credential-validation.md index 4fdf9060db..4bde8f1ddb 100644 --- a/windows/security/threat-protection/auditing/audit-credential-validation.md +++ b/windows/security/threat-protection/auditing/audit-credential-validation.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Credential Validation -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Credential Validation determines whether the operating system generates audit events on credentials that are submitted for a user account logon request. diff --git a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md index a6f472d018..593eb8718d 100644 --- a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md +++ b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Detailed Directory Service Replication -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Detailed Directory Service Replication determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers. diff --git a/windows/security/threat-protection/auditing/audit-detailed-file-share.md b/windows/security/threat-protection/auditing/audit-detailed-file-share.md index 4428aad464..92b53125a2 100644 --- a/windows/security/threat-protection/auditing/audit-detailed-file-share.md +++ b/windows/security/threat-protection/auditing/audit-detailed-file-share.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Detailed File Share -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Detailed File Share allows you to audit attempts to access files and folders on a shared folder. diff --git a/windows/security/threat-protection/auditing/audit-directory-service-access.md b/windows/security/threat-protection/auditing/audit-directory-service-access.md index 608ddbfc4f..bceb0bc1d1 100644 --- a/windows/security/threat-protection/auditing/audit-directory-service-access.md +++ b/windows/security/threat-protection/auditing/audit-directory-service-access.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Directory Service Access -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Directory Service Access determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed. diff --git a/windows/security/threat-protection/auditing/audit-directory-service-changes.md b/windows/security/threat-protection/auditing/audit-directory-service-changes.md index 2141bbae5e..a2290c487c 100644 --- a/windows/security/threat-protection/auditing/audit-directory-service-changes.md +++ b/windows/security/threat-protection/auditing/audit-directory-service-changes.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Directory Service Changes -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Directory Service Changes determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS). diff --git a/windows/security/threat-protection/auditing/audit-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-directory-service-replication.md index df8ddc7f12..8bbcc73020 100644 --- a/windows/security/threat-protection/auditing/audit-directory-service-replication.md +++ b/windows/security/threat-protection/auditing/audit-directory-service-replication.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Directory Service Replication -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Directory Service Replication determines whether the operating system generates audit events when replication between two domain controllers begins and ends. diff --git a/windows/security/threat-protection/auditing/audit-distribution-group-management.md b/windows/security/threat-protection/auditing/audit-distribution-group-management.md index 352eea4cfe..18f52d6dea 100644 --- a/windows/security/threat-protection/auditing/audit-distribution-group-management.md +++ b/windows/security/threat-protection/auditing/audit-distribution-group-management.md @@ -11,15 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Distribution Group Management -**Applies to** -- Windows 10 -- Windows Server 2016 Audit Distribution Group Management determines whether the operating system generates audit events for specific distribution-group management tasks. diff --git a/windows/security/threat-protection/auditing/audit-dpapi-activity.md b/windows/security/threat-protection/auditing/audit-dpapi-activity.md index 9661ffe602..ce489d62ac 100644 --- a/windows/security/threat-protection/auditing/audit-dpapi-activity.md +++ b/windows/security/threat-protection/auditing/audit-dpapi-activity.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit DPAPI Activity -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit [DPAPI](/previous-versions/ms995355(v=msdn.10)) Activity determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface ([DPAPI](/previous-versions/ms995355(v=msdn.10))). diff --git a/windows/security/threat-protection/auditing/audit-file-share.md b/windows/security/threat-protection/auditing/audit-file-share.md index 88b51b6a3f..97c2332179 100644 --- a/windows/security/threat-protection/auditing/audit-file-share.md +++ b/windows/security/threat-protection/auditing/audit-file-share.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit File Share -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit File Share allows you to audit events related to file shares: creation, deletion, modification, and access attempts. Also, it shows failed SMB SPN checks. diff --git a/windows/security/threat-protection/auditing/audit-file-system.md b/windows/security/threat-protection/auditing/audit-file-system.md index 98f61fc786..17787cf470 100644 --- a/windows/security/threat-protection/auditing/audit-file-system.md +++ b/windows/security/threat-protection/auditing/audit-file-system.md @@ -11,15 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit File System -**Applies to** -- Windows 10 -- Windows Server 2016 > [!NOTE] > For more details about applicability on older operating system versions, read the article [Audit File System](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319068(v=ws.11)). diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md index e4829f1e56..7e0478f79f 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Filtering Platform Connection -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Filtering Platform Connection determines whether the operating system generates audit events when connections are allowed or blocked by the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page). diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md index d6131681ec..dae76cc66f 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Filtering Platform Packet Drop -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Filtering Platform Packet Drop determines whether the operating system generates audit events when packets are dropped by the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page). From 7ab0e861984d7218efb9ad27f7d6d47bd82e95ef Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Mon, 6 Sep 2021 13:56:05 +0530 Subject: [PATCH 03/11] Corrected blocking issue --- .../auditing/advanced-security-auditing-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml index 3e90a4fd67..c3c1ecbe92 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml @@ -22,7 +22,7 @@ title: Advanced security auditing FAQ summary: | - This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. +This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. - [What is Windows security auditing and why might I want to use it?](#what-is-windows-security-auditing-and-why-might-i-want-to-use-it-) - [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-) From 2e8cd0e8200063e241528629c88d7d843fddbe48 Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Mon, 6 Sep 2021 14:10:38 +0530 Subject: [PATCH 04/11] Updated --- .../auditing/advanced-security-auditing-faq.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml index 3e90a4fd67..7341b721a6 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml @@ -19,10 +19,8 @@ metadata: ms.technology: mde title: Advanced security auditing FAQ -summary: | - - - This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. + +This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. - [What is Windows security auditing and why might I want to use it?](#what-is-windows-security-auditing-and-why-might-i-want-to-use-it-) - [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-) From aa0b279205831619b050cba6339e4ed923fc6f8a Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Mon, 6 Sep 2021 14:16:59 +0530 Subject: [PATCH 05/11] Updated --- .../auditing/advanced-security-auditing-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml index 3f9281aea4..92cfb0b820 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml @@ -22,7 +22,7 @@ title: Advanced security auditing FAQ -This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. + This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. - [What is Windows security auditing and why might I want to use it?](#what-is-windows-security-auditing-and-why-might-i-want-to-use-it-) - [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-) From 04b929803969b0bd2b5ed4bae640b4618cd21e61 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Mon, 20 Sep 2021 10:16:28 -0700 Subject: [PATCH 06/11] a few more updates --- .../update/deployment-service-overview.md | 25 +++++++++++-------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 4eca196e15..01812adc48 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -16,7 +16,10 @@ ms.topic: article # Windows Update for Business deployment service -> Applies to: Windows 10 +**Applies to** + +- Windows 10 +- Windows 11 The Windows Update for Business deployment service is a cloud service within the Windows Update for Business product family. It provides control over the approval, scheduling, and safeguarding of updates delivered from Windows Update. It's designed to work in harmony with your existing Windows Update for Business policies. @@ -56,18 +59,18 @@ The deployment service exposes these capabilities through Microsoft [Graph REST To work with the deployment service, devices must meet all these requirements: -- Be running Windows 10, version 1709 or later +- Be running Windows 10, version 1709 or later (or Windows 11) - Be joined to Azure Active Directory (AD) or Hybrid AD -- Have one of the following Windows 10 editions installed: - - Windows 10 Pro - - Windows 10 Enterprise - - Windows 10 Education - - Windows 10 Pro Education - - Windows 10 Pro for Workstations +- Have one of the following Windows 10 or Windows 11 editions installed: + - Pro + - Enterprise + - Education + - Pro Education + - Pro for Workstations Additionally, your organization must have one of the following subscriptions: -- Windows 10 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) -- Windows 10 Education A3 or A5 (included in Microsoft 365 A3 or A5) +- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) +- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) - Windows Virtual Desktop Access E3 or E5 - Microsoft 365 Business Premium @@ -78,7 +81,7 @@ To use the deployment service, you use a management tool built on the platform, ### Using Microsoft Endpoint Manager -Microsoft Endpoint Manager integrates with the deployment service to provide Windows 10 update management capabilities. For more information, see [Windows 10 feature updates policy in Intune](/mem/intune/protect/windows-10-feature-updates). +Microsoft Endpoint Manager integrates with the deployment service to provide Windows client update management capabilities. For more information, see [Windows 10 feature updates policy in Intune](/mem/intune/protect/windows-10-feature-updates). ### Scripting common actions using PowerShell From 877ef1bebf8c99859d7aa562af7aff7739487fdb Mon Sep 17 00:00:00 2001 From: jaimeo Date: Mon, 20 Sep 2021 10:40:38 -0700 Subject: [PATCH 07/11] adding article on safeguard holds --- windows/deployment/update/safeguard-holds.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md index 735acd6e97..eb28dce097 100644 --- a/windows/deployment/update/safeguard-holds.md +++ b/windows/deployment/update/safeguard-holds.md @@ -12,9 +12,14 @@ ms.topic: article # Safeguard holds -Microsoft uses quality and compatibility data to identify issues that might cause a Windows 10 feature update to fail or roll back. When we find such an issue, we might apply holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available. +**Applies to** -Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows 10. +- Windows 10 +- Windows 11 + +Microsoft uses quality and compatibility data to identify issues that might cause a Windows client feature update to fail or roll back. When we find such an issue, we might apply holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available. + +Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows client. The lifespan of holds varies depending on the time required to investigate and fix an issue. During this time Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the hold. Once we release the hold, Windows Update will resume offering new operating system versions to devices. From 97b2691d63b6e1e56b69f84155dd20217ccd349d Mon Sep 17 00:00:00 2001 From: Kaushik Ainapure Date: Tue, 21 Sep 2021 00:23:48 +0530 Subject: [PATCH 08/11] Format changes and additional error codes 1. Updated article with H2 formatting for better discoverability of the error codes. 2. Updated article to include 17 additional error codes. --- .../update/windows-update-errors.md | 227 ++++++++++++++++-- 1 file changed, 205 insertions(+), 22 deletions(-) diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index eb178f7528..0604df39cc 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -3,13 +3,14 @@ title: Windows Update common errors and mitigation description: In this article, learn about some common issues you might experience with Windows Update, as well as steps to resolve them. ms.prod: w10 ms.mktglfcycl: -audience: itpro itproauthor: jaimeo ms.audience: itpro author: jaimeo -ms.reviewer: -manager: laurawi -ms.topic: article +ms.reviewer: kaushika +manager: dcscontentpm +audience: itpro +ms.topic: troubleshooting +ms.technology: windows-client-deployment ms.custom: seo-marvel-apr2020 --- @@ -22,22 +23,204 @@ ms.custom: seo-marvel-apr2020 The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them. +## 0x8024402F -| Error Code | Message | Description | Mitigation | -|------------------------------------------|-----------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0x8024402F | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed | -| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
Ren %systemroot%\system32\catroot2 \*.bak | -| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system. | -| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update Client.

If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). | -| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to the Internet. To fix this issue, follow these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com


You can also take a network trace to check what is timing out. \ | -| 0x80072EFD
0x80072EFE 
0x80D02002 | TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | -| 0X8007000D | ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred. | Attempt to re-download the update and initiate installation. | -| 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity, the system failing to respond leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the upgrade. | -| 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Sign in to the device to start the installation and allow the device to restart. | -| 0x80242014 | WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows Updates require the device to be restarted. Restart the device to complete update installation. | -| 0x80246017 | WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator). | -| 0x8024000B | WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | -| 0x8024000E | WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | -| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | -| 0x80244007 | WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | -| 0x80070422 | | This issue occurs when the Windows Update service stops working or is not running. | Check if the Windows Update service is running.
| +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed | + +## 0x80242006 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
- Ren %systemroot%\system32\catroot2 \*.bak | + +## 0x80070BC9 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system | + +## 0x80200053 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update Client.

If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc).| + +## 0x80072EE2 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to the Internet. To fix this issue, follow these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com


You can also take a network trace to check what is timing out. \ | + +## 0x80072EFD or 0x80072EFE or 0x80D02002 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | + +## 0X8007000D + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred.| Attempt to re-download the update and initiate installation. | + +## 0x8024A10A + +| Message | Description | Mitigation | +|---------|-------------|------------| +| USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity, the system failing to respond leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the upgrade. | + +## 0x80240020 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Sign in to the device to start the installation and allow the device to restart. | + +## 0x80242014 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows Updates require the device to be restarted. Restart the device to complete update nstallation. | + +## 0x80246017 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator).| + +## 0x8024000B + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | + +## 0x8024000E + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | + +## 0x8024D009 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | + +## 0x80244007 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | + +## 0x80070422 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| NA | This issue occurs when the Windows Update service stops working or is not running. | Check if the Windows Update service is running.
| + +## 0x800f0821 + + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_ABORT; client abort, IDABORT returned by ICbsUIHandler method except Error() | CBS transaction timeout exceeded. | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires and assumes the system has hung. Extending the timeout will mitigate the issue. Increase the machine resources. If a virtual machine, increase virtual CPU and memory to speedup the operation. Make sure the machine as at least the KB4493473, if not please download and manually install it.| + +## 0x800f0825 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_CANNOT_UNINSTALL; Package cannot be uninstalled. | Typically component store corruption caused when a component is in a partially installed state. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + +## 0x800F0920 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_HANG_DETECTED; A hang was detected while processing the operation. | Subsequent error logged after getting 0x800f0821 | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires and assumes the system has hung. Extending the timeout will mitigate the issue. Increase the machine resources. If a virtual machine, increase virtual CPU and memory to speedup the operation. Make sure the machine as at least the KB4493473, if not please download and manually install it. | + +## 0x800f081f + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_SOURCE_MISSING; source for package or file not found, ResolveSource() unsuccessful | Component Store corruption | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + +## 0x800f0831 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_STORE_CORRUPTION; CBS store is corrupted. | Corruption in the Windows Component Store. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + +## 0x80070005 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| E_ACCESSDENIED; General access denied error | File system or registry key permissions have been changed and the servicing stack doesn't have the required level of access. | This error generally means an ACCESS DENIED.
Go to %Windir%\logs\CBS and open the last CBS.log and search for “, error” and match with the timestamp. After finding the error, scroll up and try to determine what caused the ACCESS DENIED, it could be acess denied to a file, registry key,etc. Determine what object needs the right permissions and change the permissions | + +## 0x80070570 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_FILE_CORRUPT; The file or directory is corrupted and unreadable. | Component Store corruption | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + + +## 0x80070003 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_PATH_NOT_FOUND; The system cannot find the path specified. | The servicing stack cannot access a specific path. | Indicates an invalid path to an executable. Go to %Windir%\logs\CBS and open the last CBS.log and search for “, error” and match with the timestamp. | + + +## 0x80070020 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_SHARING_VIOLATION | Numerous causes. CBS log analysis required. | This error is usually caused by 3rd party filter drivers like Antivirus.
1. [Perform a clean boot and retry the installation](https://support.microsoft.com/help/929135/)
2. Download the sysinternal tool process monitor -> https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
3. Run procmon.exe. It will start data capture automatically
4. Install the Update package again
5. With procmon program main window in focus, press Ctrl + E or click the magnifying glass to terminate data capture
6. Click File > Save > All Events > PML, and choose an adequate path to save the .PML file
7. Go to %windir%\logs\cbs and open the last cbs.log file and search for the error
8. After finding the error line a bit above you should have the file being accessed during the installation that is giving the sharing violation error
9. In the Procmon windows filter for path and insert the file name (it should be something like “path” “contains” “filename from CBS”)
10. After checking which process is accessing that file try to stop it or uninstall it from the machine | + +## 0x80073701 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_SXS_ASSEMBLY_MISSING; The referenced assembly could not be found. | Typically component store corruption caused when a component is in a partially installed state. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + +## 0x8007371b + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_SXS_TRANSACTION_CLOSURE_INCOMPLETE; One or more required members of the transaction are not present. | Component Store corruption. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + +## 0x80072EFE + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WININET_E_CONNECTION_ABORTED; The connection with the server was terminated abnormally | BITS is unable to transfer the file successfully. | Encountered if BITS is broken or if the file being transferred can't be written to the destination folder on the client. This error is usually caused by connection errors while checking/downloading updates.
From a cmd prompt run: **BITSADMIN /LIST /ALLUSERS /VERBOSE**
Search for the 0x80072EFE error code. You should see a reference to a HTTP code with a specific file, try to download it manually from your browser making sure you’re using your proxy organization settings. If it fails, check with your proxy manager to allow for the communication to be sucesfull. Also check with your network team for this specific URL access. | + +## 0x80072F8F + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WININET_E_DECODING_FAILED; Content decoding has failed | TLS 1.2 is not configured correctly on the client machine. | This error generally means that the Windows Update Agent was unable to decode the received content. You need to install and configure TLS 1.2 by installing this KB: https://support.microsoft.com/help/3140245/ + +## 0x80072EE2 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to WU, SCCM, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own configured WSUS/SCCM/MEM/etc.
Check with your network team if the machine is able to get to your WSUS/SCCM/MEM/etc or the internet servers. See, https://docs.microsoft.com/en-US/troubleshoot/mem/configmgr/troubleshoot-software-update-scan-failures
In case you’re using the public MS update servers, check that your device can access the following Windows Update endpoints:
http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
https://download.microsoft.com
http://*.download.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com | + +## 0x80240022 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_ALL_UPDATES_FAILED; Operation failed for all the updates. | Multiple root causes for this error.| Most common issue is where Anti-Virus software is blocking access to certain folders (like SoftwareDistribution). CBS.log analysis needed to determine the file or folder being protected. | + +## 0x8024401B + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ; Same as HTTP status 407 - proxy authentication is required. | Unable to authenticate through a proxy server. | Either the Winhttp proxy or WinInet proxy settings are not configured correctly. This error generally means that the Windows Update Agent was unable to connect to the update servers or your own configured WSUS/SCCM/MEM/etc due to a Proxy error.
- Verify the proxy settings on the client, and make sure that they are configured correctly. The Windows Update Agent uses WinHTTP to scan for available updates. So, when there is a proxy server between the client and the WSUS computer, the proxy settings must be configured correctly on the clients to enable them to communicate with WSUS by using the computer's FQDN.
- Check with your network team and proxy team if the machine is able to get to your WSUS/SCCM7MEM/etc or the internet servers without the proxy requiring user authentication | + + +## 0x80244022 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_PT_HTTP_STATUS_SERVICE_UNAVAILABLE; Same as HTTP status 503 - the service is temporarily overloaded. | Unable to connect to the configured update source. | Network troubleshooting needed to resolve the connectivity issue. Check with your network team and proxy team if the machine is able to get to your WSUS/SCCM7MEM/etc or the internet servers without the proxy requiring user authentication. | From 8018fc90224e43e4c1c5f9c078bbad24e7c0e0e8 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 20 Sep 2021 13:44:38 -0700 Subject: [PATCH 09/11] Fixed broken note; added vertical space for nicer layout --- .../update/deployment-service-overview.md | 20 ++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 01812adc48..f78e87008d 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -136,26 +136,35 @@ To enroll devices in Windows Update for Business cloud processing, set the **All > [!NOTE] > Setting this policy by using Group Policy isn't currently supported. - -| Policy | Sets registry key under **HKLM\\Software** | -|--------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------| -| MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | \\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing | +> +> | Policy | Sets registry key under **HKLM\\Software** | +> |--------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------| +> | MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | \\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing | Following is an example of setting the policy using Microsoft Endpoint Manager: 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + 2. Select **Devices** > **Configuration profiles** > **Create profile**. + 3. Select **Windows 10 and later** in **Platform**, select **Templates** in **Profile type**, select **Custom** in **Template name**, and then select **Create**. + 4. In **Basics**, enter a meaningful name and a description for the policy, and then select **Next**. + 5. In **Configuration settings**, select **Add**, enter the following settings, select **Save**, and then select **Next**. - Name: **AllowWUfBCloudProcessing** - Description: Enter a description. - OMA-URI: `./Vendor/MSFT/Policy/Config/System/AllowWUfBCloudProcessing` - Data type: **Integer** - Value: **8** + 6. In **Assignments**, select the groups that will receive the profile, and then select **Next**. + 7. In **Review + create**, review your settings, and then select **Create**. -8. (Optional) To verify that the policy reached the client, check the value of the following registry entry: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager \\default\\System\\AllowWUfBCloudProcessing**. + +8. (Optional) To verify that the policy reached the client, check the value of the following registry entry: + + **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager \\default\\System\\AllowWUfBCloudProcessing** ## Best practices Follow these suggestions for the best results with the service. @@ -163,6 +172,7 @@ Follow these suggestions for the best results with the service. ### Device onboarding - Wait until devices finish provisioning before managing with the service. If a device is being provisioned by Autopilot, it can only be managed by the deployment service after it finishes provisioning (typically one day). + - Use the deployment service for feature update management without feature update deferral policy. If you want to use the deployment service to manage feature updates on a device that previously used a feature update deferral policy, it's best to set the feature update deferral policy to **0** days to avoid having multiple conditions governing feature updates. You should only change the feature update deferral policy value to 0 days after you've confirmed that the device was enrolled in the service with no errors. ### General From 03c5cb308d48731ed17a3a6c2597f31f78645c83 Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Mon, 20 Sep 2021 13:47:16 -0700 Subject: [PATCH 10/11] Revert "Format changes and additional error codes" --- .../update/windows-update-errors.md | 227 ++---------------- 1 file changed, 22 insertions(+), 205 deletions(-) diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index 0604df39cc..eb178f7528 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -3,14 +3,13 @@ title: Windows Update common errors and mitigation description: In this article, learn about some common issues you might experience with Windows Update, as well as steps to resolve them. ms.prod: w10 ms.mktglfcycl: +audience: itpro itproauthor: jaimeo ms.audience: itpro author: jaimeo -ms.reviewer: kaushika -manager: dcscontentpm -audience: itpro -ms.topic: troubleshooting -ms.technology: windows-client-deployment +ms.reviewer: +manager: laurawi +ms.topic: article ms.custom: seo-marvel-apr2020 --- @@ -23,204 +22,22 @@ ms.custom: seo-marvel-apr2020 The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them. -## 0x8024402F -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed | - -## 0x80242006 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
- Ren %systemroot%\system32\catroot2 \*.bak | - -## 0x80070BC9 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system | - -## 0x80200053 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update Client.

If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc).| - -## 0x80072EE2 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to the Internet. To fix this issue, follow these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com


You can also take a network trace to check what is timing out. \ | - -## 0x80072EFD or 0x80072EFE or 0x80D02002 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | - -## 0X8007000D - -| Message | Description | Mitigation | -|---------|-------------|------------| -| ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred.| Attempt to re-download the update and initiate installation. | - -## 0x8024A10A - -| Message | Description | Mitigation | -|---------|-------------|------------| -| USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity, the system failing to respond leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the upgrade. | - -## 0x80240020 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Sign in to the device to start the installation and allow the device to restart. | - -## 0x80242014 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows Updates require the device to be restarted. Restart the device to complete update nstallation. | - -## 0x80246017 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator).| - -## 0x8024000B - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | - -## 0x8024000E - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | - -## 0x8024D009 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | - -## 0x80244007 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | - -## 0x80070422 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| NA | This issue occurs when the Windows Update service stops working or is not running. | Check if the Windows Update service is running.
| - -## 0x800f0821 - - -| Message | Description | Mitigation | -|---------|-------------|------------| -| CBS_E_ABORT; client abort, IDABORT returned by ICbsUIHandler method except Error() | CBS transaction timeout exceeded. | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires and assumes the system has hung. Extending the timeout will mitigate the issue. Increase the machine resources. If a virtual machine, increase virtual CPU and memory to speedup the operation. Make sure the machine as at least the KB4493473, if not please download and manually install it.| - -## 0x800f0825 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| CBS_E_CANNOT_UNINSTALL; Package cannot be uninstalled. | Typically component store corruption caused when a component is in a partially installed state. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | - -## 0x800F0920 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| CBS_E_HANG_DETECTED; A hang was detected while processing the operation. | Subsequent error logged after getting 0x800f0821 | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires and assumes the system has hung. Extending the timeout will mitigate the issue. Increase the machine resources. If a virtual machine, increase virtual CPU and memory to speedup the operation. Make sure the machine as at least the KB4493473, if not please download and manually install it. | - -## 0x800f081f - -| Message | Description | Mitigation | -|---------|-------------|------------| -| CBS_E_SOURCE_MISSING; source for package or file not found, ResolveSource() unsuccessful | Component Store corruption | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | - -## 0x800f0831 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| CBS_E_STORE_CORRUPTION; CBS store is corrupted. | Corruption in the Windows Component Store. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | - -## 0x80070005 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| E_ACCESSDENIED; General access denied error | File system or registry key permissions have been changed and the servicing stack doesn't have the required level of access. | This error generally means an ACCESS DENIED.
Go to %Windir%\logs\CBS and open the last CBS.log and search for “, error” and match with the timestamp. After finding the error, scroll up and try to determine what caused the ACCESS DENIED, it could be acess denied to a file, registry key,etc. Determine what object needs the right permissions and change the permissions | - -## 0x80070570 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| ERROR_FILE_CORRUPT; The file or directory is corrupted and unreadable. | Component Store corruption | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | - - -## 0x80070003 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| ERROR_PATH_NOT_FOUND; The system cannot find the path specified. | The servicing stack cannot access a specific path. | Indicates an invalid path to an executable. Go to %Windir%\logs\CBS and open the last CBS.log and search for “, error” and match with the timestamp. | - - -## 0x80070020 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| ERROR_SHARING_VIOLATION | Numerous causes. CBS log analysis required. | This error is usually caused by 3rd party filter drivers like Antivirus.
1. [Perform a clean boot and retry the installation](https://support.microsoft.com/help/929135/)
2. Download the sysinternal tool process monitor -> https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
3. Run procmon.exe. It will start data capture automatically
4. Install the Update package again
5. With procmon program main window in focus, press Ctrl + E or click the magnifying glass to terminate data capture
6. Click File > Save > All Events > PML, and choose an adequate path to save the .PML file
7. Go to %windir%\logs\cbs and open the last cbs.log file and search for the error
8. After finding the error line a bit above you should have the file being accessed during the installation that is giving the sharing violation error
9. In the Procmon windows filter for path and insert the file name (it should be something like “path” “contains” “filename from CBS”)
10. After checking which process is accessing that file try to stop it or uninstall it from the machine | - -## 0x80073701 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| ERROR_SXS_ASSEMBLY_MISSING; The referenced assembly could not be found. | Typically component store corruption caused when a component is in a partially installed state. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | - -## 0x8007371b - -| Message | Description | Mitigation | -|---------|-------------|------------| -| ERROR_SXS_TRANSACTION_CLOSURE_INCOMPLETE; One or more required members of the transaction are not present. | Component Store corruption. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | - -## 0x80072EFE - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WININET_E_CONNECTION_ABORTED; The connection with the server was terminated abnormally | BITS is unable to transfer the file successfully. | Encountered if BITS is broken or if the file being transferred can't be written to the destination folder on the client. This error is usually caused by connection errors while checking/downloading updates.
From a cmd prompt run: **BITSADMIN /LIST /ALLUSERS /VERBOSE**
Search for the 0x80072EFE error code. You should see a reference to a HTTP code with a specific file, try to download it manually from your browser making sure you’re using your proxy organization settings. If it fails, check with your proxy manager to allow for the communication to be sucesfull. Also check with your network team for this specific URL access. | - -## 0x80072F8F - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WININET_E_DECODING_FAILED; Content decoding has failed | TLS 1.2 is not configured correctly on the client machine. | This error generally means that the Windows Update Agent was unable to decode the received content. You need to install and configure TLS 1.2 by installing this KB: https://support.microsoft.com/help/3140245/ - -## 0x80072EE2 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to WU, SCCM, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own configured WSUS/SCCM/MEM/etc.
Check with your network team if the machine is able to get to your WSUS/SCCM/MEM/etc or the internet servers. See, https://docs.microsoft.com/en-US/troubleshoot/mem/configmgr/troubleshoot-software-update-scan-failures
In case you’re using the public MS update servers, check that your device can access the following Windows Update endpoints:
http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
https://download.microsoft.com
http://*.download.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com | - -## 0x80240022 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_ALL_UPDATES_FAILED; Operation failed for all the updates. | Multiple root causes for this error.| Most common issue is where Anti-Virus software is blocking access to certain folders (like SoftwareDistribution). CBS.log analysis needed to determine the file or folder being protected. | - -## 0x8024401B - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ; Same as HTTP status 407 - proxy authentication is required. | Unable to authenticate through a proxy server. | Either the Winhttp proxy or WinInet proxy settings are not configured correctly. This error generally means that the Windows Update Agent was unable to connect to the update servers or your own configured WSUS/SCCM/MEM/etc due to a Proxy error.
- Verify the proxy settings on the client, and make sure that they are configured correctly. The Windows Update Agent uses WinHTTP to scan for available updates. So, when there is a proxy server between the client and the WSUS computer, the proxy settings must be configured correctly on the clients to enable them to communicate with WSUS by using the computer's FQDN.
- Check with your network team and proxy team if the machine is able to get to your WSUS/SCCM7MEM/etc or the internet servers without the proxy requiring user authentication | - - -## 0x80244022 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_PT_HTTP_STATUS_SERVICE_UNAVAILABLE; Same as HTTP status 503 - the service is temporarily overloaded. | Unable to connect to the configured update source. | Network troubleshooting needed to resolve the connectivity issue. Check with your network team and proxy team if the machine is able to get to your WSUS/SCCM7MEM/etc or the internet servers without the proxy requiring user authentication. | +| Error Code | Message | Description | Mitigation | +|------------------------------------------|-----------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0x8024402F | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed | +| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
Ren %systemroot%\system32\catroot2 \*.bak | +| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system. | +| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update Client.

If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). | +| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to the Internet. To fix this issue, follow these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com


You can also take a network trace to check what is timing out. \ | +| 0x80072EFD
0x80072EFE 
0x80D02002 | TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | +| 0X8007000D | ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred. | Attempt to re-download the update and initiate installation. | +| 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity, the system failing to respond leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the upgrade. | +| 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Sign in to the device to start the installation and allow the device to restart. | +| 0x80242014 | WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows Updates require the device to be restarted. Restart the device to complete update installation. | +| 0x80246017 | WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator). | +| 0x8024000B | WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | +| 0x8024000E | WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | +| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | +| 0x80244007 | WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | +| 0x80070422 | | This issue occurs when the Windows Update service stops working or is not running. | Check if the Windows Update service is running.
| From 2ad81bb7395678071dc8e7d13c3c254d1e767f21 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 20 Sep 2021 13:58:02 -0700 Subject: [PATCH 11/11] Revert joining of note with table --- windows/deployment/update/deployment-service-overview.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index f78e87008d..63c9c6aa24 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -136,10 +136,10 @@ To enroll devices in Windows Update for Business cloud processing, set the **All > [!NOTE] > Setting this policy by using Group Policy isn't currently supported. -> -> | Policy | Sets registry key under **HKLM\\Software** | -> |--------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------| -> | MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | \\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing | + +| Policy | Sets registry key under **HKLM\\Software** | +|--------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------| +| MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | \\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing | Following is an example of setting the policy using Microsoft Endpoint Manager: