diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md index a01dc76b8c..93b1e53290 100644 --- a/windows/client-management/TOC.md +++ b/windows/client-management/TOC.md @@ -11,5 +11,9 @@ ## [Transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) ## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md) ## [Windows libraries](windows-libraries.md) +## [Troubleshoot Windows 10 clients](windows-10-support-solutions.md) +### [Data collection for troubleshooting 802.1x Authentication](data-collection-for-802-authentication.md) +### [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md) +### [Advanced troubleshooting Wireless Network Connectivity](advanced-troubleshooting-wireless-network-connectivity.md) ## [Mobile device management for solution providers](mdm/index.md) ## [Change history for Client management](change-history-for-client-management.md) diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md new file mode 100644 index 0000000000..09f781b887 --- /dev/null +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -0,0 +1,87 @@ +--- +title: Advanced Troubleshooting 802.1x Authentication +description: Learn how 802.1x Authentication works +keywords: advanced troubleshooting, 802.1x authentication, troubleshooting, authentication, Wi-Fi +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +author: mikeblodge +ms.localizationpriority: medium +ms.author: mikeblodge +ms.date: 10/29/2018 +--- + +# Advanced Troubleshooting 802.1x Authentication + +## Overview +This is a general troubleshooting of 802.1x wireless and wired clients. With +802.1x and Wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make Access Points or Switches, it won't be an end-to-end Microsoft solution. + +### Scenarios +This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 - 10 for clients, and Windows Server 2008 R2 - 2012 R2 for NPS. + +### Known Issues +N/A + +### Data Collection +Markdown - Advanced Troubleshooting 802.1x Authentication Data Collection + +### Troubleshooting +- Viewing the NPS events in the Windows Security Event log is one of the most useful troubleshooting methods to obtain information about failed authentications. + +NPS event log entries contain information on the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. NPS event logging for rejected or accepted connection is enabled by default. +Check Windows Security Event log on the NPS Server for NPS events corresponding to rejected (event ID 6273) or accepted (event ID 6272) connection attempts. + +In the event message, scroll to the very bottom, and check the **Reason Code** field and the text associated with it. + +![example of an audit failure](images/auditfailure.png) +*Example: event ID 6273 (Audit Failure)* +‎ +![example of an audit success](images/auditsuccess.png) +*Example: event ID 6272 (Audit Success)* + +‎ +- The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, Wired AutoConfig operational log is equivalent one. + +On client side, navigate to the Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational for wireless issue (for wired network access, ..\Wired-AutoConfig/Operational). + +![event viewer screenshot showing wired-autoconfig and WLAN autoconfig](images/eventviewer.png) + +- Most 802.1X authentication issues is due to problems with the certificate which is used for client or server authentication (e.g. invalid certificate, expiration, chain verification failure, revocation check failure, etc.). + +First, make sure which type of EAP method is being used. + +![eap authentication type comparison](images/comparisontable.png) + +- If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from EAP property menu. See figure below. + +![Constraints tab of the secure wireless connections properties](images/eappropertymenu.png) + +- The CAPI2 event log will be useful for troubleshooting certificate-related issues. +This log is not enabled by default. You can enable this log by navigating to the Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2 directory and expand it, then right-click on the Operational view and click the Enable Log menu. + +![screenshot of event viewer](images/eventviewer.png) + +You can refer to this article about how to analyze CAPI2 event logs. +[Troubleshooting PKI Problems on Windows Vista](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29) +For detailed troubleshooting 802.1X authentication issues, it's important to understand 802.1X authentication process. The figure below is an example of wireless connection process with 802.1X authentication. + +![aithenticatior flow chart](images/authenticator_flow_chart.png) + +- If you collect network packet capture on both a client and a NPS side, you can see the flow like below. Type **EAPOL** in Display Filter menu in Network Monitor for a client side and **EAP** for a NPS side. + +> [!NOTE] +> info not critical to a task If you also enable wireless scenario trace with network packet capture, you can see more detailed information on Network Monitor with **ONEX\_MicrosoftWindowsOneX** and **WLAN\_MicrosoftWindowsWLANAutoConfig** Network Monitor filtering applied. + + +![client-side packet capture data](images/clientsidepacket_cap_data.png) +*Client-side packet capture data* + +![NPS-side packet capture data](images/NPS_sidepacket_capture_data.png) +*NPS-side packet capture data* +‎ +## Additional references +[Troubleshooting Windows Vista 802.11 Wireless Connections](https://technet.microsoft.com/ja-jp/library/cc766215%28v=ws.10%29.aspx) + +[Troubleshooting Windows Vista Secure 802.3 Wired Connections](https://technet.microsoft.com/de-de/library/cc749352%28v=ws.10%29.aspx) + diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md new file mode 100644 index 0000000000..0896ab5eed --- /dev/null +++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md @@ -0,0 +1,199 @@ +--- +title: Advanced Troubleshooting Wireless Network Connectivity +description: Learn how troubleshooting of establishing Wi-Fi connections +keywords: troubleshooting, wireless network connectivity, wireless, Wi-Fi +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +author: mikeblodge +ms.localizationpriority: medium +ms.author: mikeblodge +ms.date: 10/29/2018 +--- +# Advanced Troubleshooting Wireless Network Connectivity + +> [!NOTE] +> Home users: This article is intended for use by support agents and IT professionals. If you're looking for more general information about Wi-Fi problems in Windows 10, check out this [Windows 10 Wi-Fi fix article](https://support.microsoft.com/en-in/help/4000432/windows-10-fix-wi-fi-problems). + +## Overview +This is a general troubleshooting of establishing Wi-Fi connections from Windows Clients. +Troubleshooting Wi-Fi connections requires understanding the basic flow of the Wi-Fi autoconnect state machine. Understanding this flow makes it easier to determine the starting point in a repro scenario in which a different behavior is found. +This workflow involves knowledge and use of [TextAnalysisTool](https://github.com/TextAnalysisTool/Releases), an extensive text filtering tool that is useful with complex traces with numerous ETW providers such as wireless_dbg trace scenario. + +## Scenarios + +Any scenario in which Wi-Fi connections are attempted and fail to establish. The troubleshooter is developed with Windows 10 clients in focus, but also may be useful with traces as far back as Windows 7. + +> [!NOTE] +> This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component ETW. It is not meant to be representative of every wireless problem scenario. + +Wireless ETW is incredibly verbose and calls out lots of innocuous errors (i.e. Not really errors so much as behaviors that are flagged and have nothing to do with the problem scenario). Simply searching for or filtering on "err", "error", and "fail" will seldom lead you to the root cause of a problematic Wi-Fi scenario. Instead it will flood the screen with meaningless logs that will obfuscate the context of the actual problem. + +It is important to understand the different Wi-Fi components involved, their expected behaviors, and how the problem scenario deviates from those expected behaviors. +The intention of this troubleshooter is to show how to find a starting point in the verbosity of wireless_dbg ETW and home in on the responsible component(s) causing the connection problem. + +### Known Issues and fixes +** ** +| **OS version** | **Fixed in** | +| --- | --- | +| **Windows 10, version 1803** | [KB4284848](https://support.microsoft.com/help/4284848) | +| **Windows 10, version 1709** | [KB4284822](https://support.microsoft.com/help/4284822) | +| **Windows 10, version 1703** | [KB4338827](https://support.microsoft.com/help/4338827) | + +Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update-history webpage for your system: +- [Windows 10 version 1803](https://support.microsoft.com/help/4099479) +- [Windows 10 version 1709](https://support.microsoft.com/en-us/help/4043454) +- [Windows 10 version 1703](https://support.microsoft.com/help/4018124) +- [Windows 10 version 1607 and Windows Server 2016](https://support.microsoft.com/help/4000825) +- [Windows 10 version 1511](https://support.microsoft.com/help/4000824) +- [Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/4009470) +- [Windows Server 2012](https://support.microsoft.com/help/4009471) +- [Windows 7 SP1 and Windows Server 2008 R2 SP1](https://support.microsoft.com/help/40009469) + +### Data Collection +1. Network Capture with ETW. Use the following command: + + **netsh trace start wireless\_dbg capture=yes overwrite=yes maxsize=4096 tracefile=c:\tmp\wireless.etl** + +2. Reproduce the issue if: + - There is a failure to establish connection, try to manually connect + - It is intermittent but easily reproducible, try to manually connect until it fails. Include timestamps of each connection attempt (successes and failures) + - Tue issue is intermittent but rare, netsh trace stop command needs to be triggered automatically (or at least alerted to admin quickly) to ensure trace doesn’t overwrite the repro data. + - Intermittent connection drops trigger stop command on a script (ping or test network constantly until fail, then netsh trace stop). + +3. Run this command to stop the trace: **netsh trace stop** +4. To convert the output file to text format: **netsh trace convert c:\tmp\wireless.etl** + +### Troubleshooting +The following is a high-level view of the main wifi components in Windows. + +![Wi-Fi stack components](images/wifistackcomponents.png) + +The Windows Connection Manager (Wcmsvc) is closely associated with the UI controls (see taskbar icon) to connect to various networks including wireless. It accepts and processes input from the user and feeds it to the core wireless service (Wlansvc). The Wireless Autoconfig Service (Wlansvc) handles the core functions of wireless networks in windows: + +- Scanning for wireless networks in range +- Managing connectivity of wireless networks + +The Media Specific Module (MSM) handles security aspects of connection being established. + +The Native Wifi stack consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc. + +Third-party wireless miniport drivers interface with the upper wireless stack to provide notifications to and receive commands from Windows. +The wifi connection state machine has the following states: +- Reset +- Ihv_Configuring +- Configuring +- Associating +- Authenticating +- Roaming +- Wait_For_Disconnected +- Disconnected + +Standard wifi connections tend to transition between states such as: + +**Connecting** + +Reset --> Ihv_Configuring --> Configuring --> Associating --> Authenticating --> Connected + +**Disconnecting** + +Connected --> Roaming --> Wait_For_Disconnected --> Disconnected --> Reset + +- Filtering the ETW trace with the provided [TextAnalyisTool (TAT)](https://github.com/TextAnalysisTool/Releases) filter is an easy first step to determine where a failed connection setup is breaking down: +Use the **FSM transition** trace filter to see the connection state machine. +Example of a good connection setup: + +``` +44676 [2]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset +45473 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv\_Configuring +45597 [3]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv\_Configuring to State: Configuring +46085 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.710 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Configuring to State: Associating +47393 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.879 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Associating to State: Authenticating +49465 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Connected +``` +Example of a failed connection setup: +``` +44676 [2]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset +45473 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv\_Configuring +45597 [3]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv\_Configuring to State: Configuring +46085 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.710 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Configuring to State: Associating +47393 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.879 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Associating to State: Authenticating +49465 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Roaming +``` +By identifying the state at which the connection fails, one can focus more specifically in the trace on logs just prior to the last known good state. Examining **[Microsoft-Windows-WLAN-AutoConfig]** logs just prior to the bad state change should show evidence of error. Often, however, the error is propagated up through other wireless components. +In many cases the next component of interest will be the MSM, which lies just below Wlansvc. + +![MSM details](images/msmdetails.png) + +The important components of the MSM include: +- Security Manager (SecMgr) - handles all pre and post-connection security operations. +- Authentication Engine (AuthMgr) – Manages 802.1x auth requests +Each of these components has their own individual state machines which follow specific transitions. +Enable the **FSM transition, SecMgr Transition,** and **AuthMgr Transition** filters in TextAnalysisTool for more detail. +Continuing with the example above, the combined filters look like this: + +``` +[2] 0C34.2FF0::08/28/17-13:24:28.693 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: +Reset to State: Ihv_Configuring +[2] 0C34.2FF0::08/28/17-13:24:28.693 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: +Ihv_Configuring to State: Configuring +[1] 0C34.2FE8::08/28/17-13:24:28.711 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: +Configuring to State: Associating +[0] 0C34.275C::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition INACTIVE (1) --> ACTIVE (2) +[0] 0C34.275C::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition ACTIVE (2) --> START AUTH (3) +[4] 0EF8.0708::08/28/17-13:24:28.928 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition ENABLED --> START_AUTH +[3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: +Associating to State: Authenticating +[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4) +[4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition START_AUTH --> AUTHENTICATING +[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11) +[2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1) +[2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: +Authenticating to State: Roaming +``` +> [!NOTE] +> In this line the SecMgr transition is suddenly deactivating. This transition is what eventually propagates to the main connection state machine and causes the Authenticating phase to devolve to Roaming state. As before, it makes sense to focus on tracing just prior to this SecMgr behavior to determine the reason for the deactivation. + +- Enabling the **Microsoft-Windows-WLAN-AutoConfig** filter will show more detail leading to the DEACTIVATE transition: + +``` +[3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: +Associating to State: Authenticating +[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4) +[4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition START_AUTH --> AUTHENTICATING +[0]0EF8.2EF4::‎08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PHY_STATE_CHANGE +[0]0EF8.2EF4::08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Change radio state for interface = Intel(R) Centrino(R) Ultimate-N 6300 AGN : PHY = 3, software state = on , hardware state = off ) +[0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PORT_DOWN +[0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]FSM Current state Authenticating , event Upcall_Port_Down +[0] 0EF8.1174:: 08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received IHV PORT DOWN, peer 0x186472F64FD2 +[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11) + [2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1) +[2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: +Authenticating to State: Roaming +``` +- The trail backwards reveals a Port Down notification. Port events indicate changes closer to the wireless hardware. The trail can be followed by continuing to see the origin of this indication. +Below, the MSM is the native wifi stack (as seen in Figure 1). These are Windows native wifi drivers which talk to the wifi miniport driver(s). It is responsible for converting Wi-Fi (802.11) packets to 802.3 (Ethernet) so that TCPIP and other protocols and can use it. +Enable trace filter for **[Microsoft-Windows-NWifi]:** + +``` +[3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: +Associating to State: Authenticating +[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4) +[4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x8A1514B62510 AuthMgr Transition START_AUTH --> AUTHENTICATING +[0]0000.0000::‎08/28/17-13:24:29.127 [Microsoft-Windows-NWiFi]DisAssoc: 0x8A1514B62510 Reason: 0x4 +[0]0EF8.2EF4::‎08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PHY_STATE_CHANGE +[0]0EF8.2EF4::08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Change radio state for interface = Intel(R) Centrino(R) Ultimate-N 6300 AGN : PHY = 3, software state = on , hardware state = off ) +[0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PORT_DOWN +[0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]FSM Current state Authenticating , event Upcall_Port_Down +[0] 0EF8.1174:: 08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received IHV PORT DOWN, peer 0x186472F64FD2 +[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11) + [2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1) +[2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: +Authenticating to State: Roaming +``` +The port down event is occurring due to a Disassociate coming Access Point as an indication to deny the connection. This could be due to invalid credentials, connection parameters, loss of signal/roaming, and various other reasons for aborting a connection. The action here would be to examine the reason for the disassociate sent from the indicated AP MAC (8A:15:14:B6:25:10). This would be done by examining internal logging/tracing from MAC device. + +### **Resources** +### [802.11 Wireless Tools and Settings](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755892(v%3dws.10)) +### [Understanding 802.1X authentication for wireless networks](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759077%28v%3dws.10%29) + diff --git a/windows/client-management/data-collection-for-802-authentication.md b/windows/client-management/data-collection-for-802-authentication.md new file mode 100644 index 0000000000..0a1952a064 --- /dev/null +++ b/windows/client-management/data-collection-for-802-authentication.md @@ -0,0 +1,551 @@ +--- +title: Data Collection for Troubleshooting 802.1x Authentication +description: Data needed for reviewing 802.1x Authentication issues +keywords: troubleshooting, data collection, data, 802.1x authentication, authentication, data +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +author: mikeblodge +ms.localizationpriority: medium +ms.author: mikeblodge +ms.date: 10/29/2018 +--- + +# Data Collection for Troubleshooting 802.1x Authentication + + +## Steps to capture Wireless/Wired functionality logs + +1. Create C:\MSLOG on the client machine to store captured logs. +2. Launch a command prompt as an administrator on the client machine, and run the following commands to start RAS trace log and Wireless/Wired scenario log: + +**On Windows 8.1, Windows 10 Wireless Client** + +```dos +netsh ras set tracing * enabled +``` +```dos +netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl +``` + +**On Windows 7, Winodws 8 Wireless Client** +```dos +netsh ras set tracing * enabled +``` +```dos +netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl +``` + +**On Wired network client** + +```dos +netsh ras set tracing * enabled +``` +```dos +netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_cli.etl +``` + +3. Run the followind command to enable CAPI2 logging: + +```dos +wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true +``` + +4. Create C:\MSLOG on the NPS to store captured logs. + +5. Launch a command prompt as an administrator on the NPS and run the following commands to start RAS trace log and Wireless/Wired scenario log: + +**On Windows Server 2012 R2, Windows Server 2016 Wireless network** + + ```dos + netsh ras set tracing * enabled + ``` + ```dos + netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl + ``` + +**On Windows Server 2008 R2, Winodws Server 2012 Wireless network** + + ```dos + netsh ras set tracing * enabled + ``` + ```dos + netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl + ``` + +**On wired network** + + ```dos + netsh ras set tracing * enabled + ``` + ```dos + netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_nps.etl + ``` + +6. Run the followind command to enable CAPI2 logging: + + ```dos + wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true + ``` + +7. Run the following command from the command prompt on the client machine and start PSR to capture screen images: + + +> [!NOTE] +> When the mouse button is clicked, the cursor will blink in red while capturing a screen image. + + ```dos + psr /start /output c:\MSLOG\%computername%\_psr.zip /maxsc 100 + ``` + +8. Repro the issue. + +9. Run the following command on the client machine to stop the PSR capturing: + + ```dos + psr /stop + ``` + +10. Run the following commands from the command prompt on the NPS. + +**Stopping RAS trace log and Wireless scenario log** + + ```dos + netsh trace stop + ``` + ```dos + netsh ras set tracing * disabled + ``` + +**Disabling and copying CAPI2 log** + + ```dos + wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false + ``` + ```dos + wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx + ``` + +11. Run the following commands from the prompt on the client machine. + +**Stopping RAS trace log and Wireless scenario log** + + ```dos + netsh trace stop + ``` + ```dos + netsh ras set tracing * disabled + ``` + +**Disabling and copying CAPI2 log** + + ```dos + wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false + ``` + ```dos + wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx + ``` + +12. Save the following logs on the client and the NPS. + +**Client** + - C:\MSLOG\%computername%_psr.zip + - C:\MSLOG\CAPI2_%COMPUTERNAME%.evtx + - C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl + - C:\MSLOG\%COMPUTERNAME%_wireless_cli.cab + - All log files and folders in %Systemroot%\Tracing + +**NPS** + - C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx + - C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl (%COMPUTERNAME%_wired_nps.etl for wired scenario) + - C:\MSLOG\%COMPUTERNAME%_wireless_nps.cab (%COMPUTERNAME%_wired_nps.cab for wired scenario) + - All log files and folders in %Systemroot%\Tracing + + +### Steps to save environmental / configuration information + +**Client** +1. Create C:\MSLOG to store captured logs. +2. Launch a command prompt as an administrator. +3. Run the following commands. + - Environmental information and Group Policies application status + ```dos + gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.htm + + msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt + + ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt + + route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt + ``` + +**Event logs** + +**Run the following command on Windows 8 and above ** +```dos +wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx + +wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx + +wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx +``` + +```dos +wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx + +wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx + +wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx + +wevtutil epl Microsoft-Windows-GroupPolicy/Operational C:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx + +wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-WLAN-AutoConfig-Operational.evtx + +wevtutil epl "Microsoft-Windows-Wired-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-Wired-AutoConfig-Operational.evtx + +wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx + +wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx +``` + +**Certificates Store information** + +```dos +certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt + +certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt + +certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt + +certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt + +certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt + +certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt + +certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt + +certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt + +certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt + +certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt + +certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt + +certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt + +certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt + +certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt + +certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt + +certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt + +certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt + +certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt + +certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt + +certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt + +certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt + +certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt + +certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt + +certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt + +certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt + +certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt + +certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt + +certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt + +certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt + +certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt + +certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt +``` + +**Wireless LAN Client information** +```dos +netsh wlan show all > c:\MSLOG\%COMPUTERNAME%\_wlan\_show\_all.txt + +netsh wlan export profile folder=c:\MSLOG\ +``` + +**Wired LAN Client information** +```dos +netsh lan show all > c:\MSLOG\%COMPUTERNAME%\_lan\_show\_all.txt + +netsh lan export profile folder=c:\MSLOG\ +``` + +4. Save the logs stored in C:\MSLOG. + + +**NPS** + 1. Create C:\MSLOG to store captured logs. + 2. Launch a command prompt as an administrator. + 3. Run the following commands: + + **Environmental information and Group Policies application status** + + ```dos + gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt + + msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt + + ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt + + route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt + ``` + +**Event logs** +**Run the following 3 commands on Windows Server 2012 and above:** +```dos +wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx + +wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx + +wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx +``` + +```dos +wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx + +wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx + +wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx + +wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx + +wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx + +wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx +``` + +**Certificates store information** +```dos +certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt + +certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt + +certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt + +certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt + +certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt + +certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt + +certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt + +certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt + +certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt + +certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt + +certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt + +certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt + +certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt + +certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt + +certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt + +certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt + +certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt + +certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt + +certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt + +certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt + +certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt + +certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt + +certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt + +certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt + +certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt + +certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt + +certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt + +certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt + +certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt + +certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt + +certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt +``` + +**NPS configuration information** +```dos +netsh nps show config > C:\MSLOG\%COMPUTERNAME%\_nps\_show\_config.txt + +netsh nps export filename=C:\MSLOG\%COMPUTERNAME%\_nps\_export.xml exportPSK=YES +``` + +3. Take the following steps to save an NPS accounting log: +4. Launch **Administrative tools** - **Network Policy Server**. + - On the Network Policy Server administration tool, select **Accounting** in the left pane. + - Click **Change Log File Properties** in the right pane. + - Click the **Log File** tab, note the log file naming convention shown as *Name* and the log file location shown in the **Directory** box. + - Copy the log file to C:\MSLOG. + - Save the logs stored in C:\MSLOG. + + +**Certificate Authority (CA)** *Optional* + +1. On a CA, launch a command prompt as an administrator. +2. Create C:\MSLOG to store captured logs. +3. Run the following commands: + +Environmental information and Group Policies application status + +```dos +gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt + +msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt + +ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt + +route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt +``` + +**Event logs** + +**Run the following 3 lines on Windows 2012 and up:** + +```dos +wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx + +wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx + +wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx +``` + +```dos +wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx + +wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx + +wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx + +wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx + +wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx + +wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx +``` + +**Certificates store information** + +```dos +certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt + +certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt + +certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt + +certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt + +certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt + +certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt + +certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt + +certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt + +certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt + +certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt + +certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt + +certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt + +certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt + +certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt + +certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt + +certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt + +certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt + +certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt + +certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt + +certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt + +certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt + +certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt + +certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt + +certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt + +certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt + +certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt + +certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt + +certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt + +certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt + +certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt + +certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt +``` + +**CA configuration information** +```dos +reg save HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.hiv + +reg export HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.txt + +reg save HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.hiv + +reg export HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.tx +``` + +4. Copy the following files, if exist, to C:\MSLOG. %windir%\CAPolicy.inf +5. Log on to a domain controller and create C:\MSLOG to store captured logs. +6. Launch Windows PowerShell as an administrator. +7. Run the following PowerShell commandlets + + \* Replace the domain name in ";.. ,DC=test,DC=local"; with appropriate domain name. The example shows commands for ";test.local"; domain. +```powershell +Import-Module ActiveDirectory + +Get-ADObject -SearchBase ";CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"; -Filter \* -Properties \* | fl \* > C:\MSLOG\Get-ADObject\_$Env:COMPUTERNAME.txt +``` +8. Save the following logs: +- All files in C:\MSLOG on the CA +- All files in C:\MSLOG on the domain controller + diff --git a/windows/client-management/images/NPS_sidepacket_capture_data.png b/windows/client-management/images/NPS_sidepacket_capture_data.png new file mode 100644 index 0000000000..9d43a3ebed Binary files /dev/null and b/windows/client-management/images/NPS_sidepacket_capture_data.png differ diff --git a/windows/client-management/images/auditfailure.png b/windows/client-management/images/auditfailure.png new file mode 100644 index 0000000000..f235ad8148 Binary files /dev/null and b/windows/client-management/images/auditfailure.png differ diff --git a/windows/client-management/images/auditsuccess.png b/windows/client-management/images/auditsuccess.png new file mode 100644 index 0000000000..66ce98acb1 Binary files /dev/null and b/windows/client-management/images/auditsuccess.png differ diff --git a/windows/client-management/images/authenticator_flow_chart.png b/windows/client-management/images/authenticator_flow_chart.png new file mode 100644 index 0000000000..729895e60e Binary files /dev/null and b/windows/client-management/images/authenticator_flow_chart.png differ diff --git a/windows/client-management/images/clientsidepacket_cap_data.png b/windows/client-management/images/clientsidepacket_cap_data.png new file mode 100644 index 0000000000..b162d2e285 Binary files /dev/null and b/windows/client-management/images/clientsidepacket_cap_data.png differ diff --git a/windows/client-management/images/comparisontable.png b/windows/client-management/images/comparisontable.png new file mode 100644 index 0000000000..0f6781d93e Binary files /dev/null and b/windows/client-management/images/comparisontable.png differ diff --git a/windows/client-management/images/eappropertymenu.png b/windows/client-management/images/eappropertymenu.png new file mode 100644 index 0000000000..127d7a7e49 Binary files /dev/null and b/windows/client-management/images/eappropertymenu.png differ diff --git a/windows/client-management/images/eventviewer.png b/windows/client-management/images/eventviewer.png new file mode 100644 index 0000000000..76bbcd0650 Binary files /dev/null and b/windows/client-management/images/eventviewer.png differ diff --git a/windows/client-management/images/msmdetails.png b/windows/client-management/images/msmdetails.png new file mode 100644 index 0000000000..ad146b102e Binary files /dev/null and b/windows/client-management/images/msmdetails.png differ diff --git a/windows/client-management/images/wifi.txt b/windows/client-management/images/wifi.txt new file mode 100644 index 0000000000..c35240c56c --- /dev/null +++ b/windows/client-management/images/wifi.txt @@ -0,0 +1,31 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/windows/client-management/images/wifistackcomponents.png b/windows/client-management/images/wifistackcomponents.png new file mode 100644 index 0000000000..7971a3d9bf Binary files /dev/null and b/windows/client-management/images/wifistackcomponents.png differ diff --git a/windows/client-management/images/wiredautoconfig.png b/windows/client-management/images/wiredautoconfig.png new file mode 100644 index 0000000000..cede26ce74 Binary files /dev/null and b/windows/client-management/images/wiredautoconfig.png differ diff --git a/windows/deployment/update/waas-delivery-optimization-reference.txt b/windows/deployment/update/waas-delivery-optimization-reference.txt new file mode 100644 index 0000000000..993295784a --- /dev/null +++ b/windows/deployment/update/waas-delivery-optimization-reference.txt @@ -0,0 +1,23 @@ +--- +title: Delivery Optimization reference +description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10 +keywords: oms, operations management suite, wdav, updates, downloads, log analytics +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: JaimeO +ms.localizationpriority: medium +ms.author: jaimeo +ms.date: 10/23/2018 +--- + +# Delivery Optimization reference + +**Applies to** + +- Windows 10 + +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +There are a great many details you can set in Delivery Optimization to customize it to do just what you need it to. This topic summarizes them for your reference. + diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md new file mode 100644 index 0000000000..edb097e05a --- /dev/null +++ b/windows/deployment/update/waas-delivery-optimization-setup.md @@ -0,0 +1,42 @@ +--- +title: Set up Delivery Optimization +description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10 +keywords: oms, operations management suite, wdav, updates, downloads, log analytics +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: JaimeO +ms.localizationpriority: medium +ms.author: jaimeo +ms.date: 10/23/2018 +--- + +# Set up Delivery Optimization for Windows 10 updates + +**Applies to** + +- Windows 10 + +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +## Plan to use Delivery Optimization + +general guidelines + “recommended policies” chart + + +## Implement Delivery Optimization +[procedural-type material; go here, click this] + +### Peer[?] topology (steps for setting up Group download mode) + + +### Hub and spoke topology (steps for setting up peer selection) + + +## Monitor Delivery Optimization +how to tell if it’s working? What values are reasonable; which are not? If not, which way to adjust and how? + +### Monitor w/ PS + +### Monitor w/ Update Compliance + diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index f82f1afa73..c43a9b860b 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -1,5 +1,5 @@ --- -title: Configure Delivery Optimization for Windows 10 updates (Windows 10) +title: Delivery Optimization for Windows 10 updates (Windows 10) description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10 keywords: oms, operations management suite, wdav, updates, downloads, log analytics ms.prod: w10 @@ -8,10 +8,10 @@ ms.sitesec: library author: JaimeO ms.localizationpriority: medium ms.author: jaimeo -ms.date: 04/30/2018 +ms.date: 10/23/2018 --- -# Configure Delivery Optimization for Windows 10 updates +# Delivery Optimization for Windows 10 updates **Applies to** @@ -20,15 +20,14 @@ ms.date: 04/30/2018 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -Windows updates, upgrades, and applications can contain packages with very large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. You can use Delivery Optimization in conjunction with stand-alone Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or System Center Configuration Manager when installation of Express Updates is enabled. +Delivery Optimization reduces the bandwidth needed to download Windows updates and applications by sharing the work of downloading these packages among multiple devices in your deployment. It does this by using a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. -Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimization cloud services is a requirement. This means that in order to use the peer-to-peer functionality of Delivery Optimization, devices must have access to the internet. +You can use Delivery Optimization in conjunction with standalone Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or System Center Configuration Manager (when installation of Express Updates is enabled). +To take advantage of Delivery Optimization, you'll need the following: ->[!NOTE] ->WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. - -The following table lists the minimum Windows 10 version that supports Delivery Optimization: +- The devices being updated must have access to the internet. +- The devices must be running at least these minimum versions: | Device type | Minimum Windows version | |------------------|---------------| @@ -37,10 +36,11 @@ The following table lists the minimum Windows 10 version that supports Delivery | IoT devices | 1803 | | HoloLens devices | 1803 | + In Windows 10 Enterprise and Education editions, Delivery Optimization allows peer-to-peer sharing on the organization's own network only, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. These options are detailed in [Download mode](#download-mode). -By default in Windows 10 Enterprise and Education editions, Delivery Optimization allows peer-to-peer sharing on the organization's own network only, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. +>[!NOTE] +>WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. -For more details, see [Download mode](#download-mode). ## Delivery Optimization options diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md index 325a6a229a..8aea0bb0cc 100644 --- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md +++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 08/21/2018 +ms.date: 10/29/2018 ms.localizationpriority: medium --- @@ -33,10 +33,14 @@ If you've followed the steps in the [Enrolling devices in Windows Analytics](win [Upgrade Readiness shows many "Computers with outdated KB"](#upgrade-readiness-shows-many-computers-with-outdated-kb) +[Upgrade Readiness shows many "Computers with incomplete data"](#upgrade-readiness-shows-many-computers-with-incomplete-data) + [Upgrade Readiness doesn't show app inventory data on some devices](#upgrade-readiness-doesnt-show-app-inventory-data-on-some-devices) [Upgrade Readiness doesn't show IE site discovery data from some devices](#upgrade-readiness-doesnt-show-ie-site-discovery-data-from-some-devices) +[Device names not appearing for Windows 10 devices](#device-names-not-appearing-for-windows-10-devices) + [Disable Upgrade Readiness](#disable-upgrade-readiness) [Exporting large data sets](#exporting-large-data-sets) @@ -191,7 +195,7 @@ Finally, Upgrade Readiness only collects IE site discovery data on devices that >[!NOTE] > IE site discovery is disabled on devices running Windows 7 and Windows 8.1 that are in Switzerland and EU countries. -### Device Names don't show up on Windows 10 devices +### Device names not appearing for Windows 10 devices Starting with Windows 10, version 1803, the device name is no longer collected by default and requires a separate opt-in. For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). ### Disable Upgrade Readiness diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md index 30f586c3f1..58469c7cf7 100644 --- a/windows/deployment/update/windows-analytics-get-started.md +++ b/windows/deployment/update/windows-analytics-get-started.md @@ -56,6 +56,12 @@ To enable data sharing, configure your proxy server to whitelist the following e | `https://login.live.com` | This endpoint is required by Device Health to ensure data integrity and provides a more reliable device identity for all of the Windows Analytics solutions on Windows 10. If you want to disable end-user managed service account (MSA) access, you should apply the appropriate [policy](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts#block-all-consumer-microsoft-account-user-authentication) instead of blocking this endpoint. | | `https://www.msftncsi.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. | | `https://www.msftconnecttest.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. | +| `https://ceuswatcab01.blob.core.windows.net` | Windows Error Reporting (WER); required for uploading crash analytics. | +| `https://ceuswatcab02.blob.core.windows.net` | Windows Error Reporting (WER); required for uploading crash analytics. | +| `https://eaus2watcab01.blob.core.windows.net` | Windows Error Reporting (WER); required for uploading crash analytics. | +| `https://eaus2watcab02.blob.core.windows.net` | Windows Error Reporting (WER); required for uploading crash analytics. | +| `https://weus2watcab01.blob.core.windows.net` | Windows Error Reporting (WER); required for uploading crash analytics. | +| `https://weus2watcab02.blob.core.windows.net` | Windows Error Reporting (WER); required for uploading crash analytics. | >[!NOTE] diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md index 5be86f56ab..76e0198780 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md +++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: jaimeo -ms.date: 05/31/2018 +ms.date: 10/29/2018 --- # Upgrade Readiness deployment script @@ -286,17 +286,6 @@ The deployment script displays the following exit codes to let you know if it wa 45 - Diagrack.dll was not found. Update the PC using Windows Update/Windows Server Update Services. - - 46 - **DisableEnterpriseAuthProxy** property should be set to **1** for **ClientProxy=Telemetry** to work. - Set the **DisableEnterpriseAuthProxy** registry property to **1** at key path **HKLM:\SOFTWARE\Policies\Microsoft -\Windows\DataCollection**. - - - 47 - **TelemetryProxyServer** is not present in key path **HKLM:\SOFTWARE\Policies\Microsoft -\Windows\DataCollection**. - **ClientProxy** selected is **Telemetry**, but you need to add **TelemetryProxyServer** in key path **HKLM:\SOFTWARE\Policies\Microsoft -\Windows\DataCollection**. - 48 - **CommercialID** mentioned in RunConfig.bat should be a GUID. **CommercialID** is mentioned in RunConfig.bat, but it is not a GUID. Copy the commercialID from your workspace. To find the commercialID, in the OMS portal click **Upgrade Readiness > Settings**. diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 6436e38396..cd8898c653 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -1,445 +1,451 @@ ---- -description: Use this article to make informed decisions about how you can configure diagnostic data in your organization. -title: Configure Windows diagnostic data in your organization (Windows 10) -keywords: privacy -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: high -author: brianlic-msft -ms.date: 04/04/2018 ---- - -# Configure Windows diagnostic data in your organization - -**Applies to** - -- Windows 10 Enterprise -- Windows 10 Mobile -- Windows Server - -At Microsoft, we use Windows diagnostic data to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Diagnostic data gives users a voice in the operating system’s development. This guide describes the importance of Windows diagnostic data and how we protect that data. Additionally, it differentiates between diagnostic data and functional data. It also describes the diagnostic data levels that Windows supports. Of course, you can choose how much diagnostic data is shared with Microsoft, and this guide demonstrates how. - -To frame a discussion about diagnostic data, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows diagnostic data system in the following ways: - -- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools. -- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions. -- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection. -- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right. -- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting. -- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers. - -This article applies to Windows and Windows Server diagnostic data only. Other Microsoft or third-party apps, such as System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager, might send data to their cloud services in ways that are inconsistent with this guide. Their publishers are responsible for notifying users of their privacy policies, diagnostic data controls, and so on. This article describes the types of diagnostic data we may gather, the ways you might manage it in your organization, and some examples of how diagnostic data can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers. - -Use this article to make informed decisions about how you might configure diagnostic data in your organization. Diagnostic data is a term that means different things to different people and organizations. For this article, we discuss diagnostic data as system data that is uploaded by the Connected User Experiences and Telemetry component. The diagnostic data is used to help keep Windows devices secure by identifying malware trends and other threats and to help Microsoft improve the quality of Windows and Microsoft services. - -We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. - -## Overview - -In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM. - -For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization. - -## Understanding Windows diagnostic data - -Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us. - -The release cadence of Windows may be fast, so feedback is critical to its success. We rely on diagnostic data at each stage of the process to inform our decisions and prioritize our efforts. - -### What is Windows diagnostic data? -Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways: - -- Keep Windows up to date -- Keep Windows secure, reliable, and performant -- Improve Windows – through the aggregate analysis of the use of Windows -- Personalize Windows engagement surfaces - -Here are some specific examples of Windows diagnostic data: - -- Type of hardware being used -- Applications installed and usage details -- Reliability information on device drivers - -### What is NOT diagnostic data? - -Diagnostic data can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not diagnostic data. For example, exchanging a user’s location for local weather or news is not an example of diagnostic data—it is functional data that the app or service requires to satisfy the user’s request. - -There are subtle differences between diagnostic data and functional data. Windows collects and sends diagnostic data in the background automatically. You can control how much information is gathered by setting the diagnostic data level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data. - -If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services). - -The following are specific examples of functional data: - -- Current location for weather -- Bing searches -- Wallpaper and desktop settings synced across multiple devices - -### Diagnostic data gives users a voice - -Windows and Windows Server diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server 2016 behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits. - -### Drive higher app and driver quality - -Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues. - -#### Real-world example of how Windows diagnostic data helps -There was a version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls. - -### Improve end-user productivity - -Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are: - -- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time. -- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance. -- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature. - -**These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.** - - -### Insights into your own organization - -Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). - -#### Upgrade Readiness - -Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. - -To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis. - -With Windows diagnostic data enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft. - -Use Upgrade Readiness to get: - -- A visual workflow that guides you from pilot to production -- Detailed computer, driver, and application inventory -- Powerful computer level search and drill-downs -- Guidance and insights into application and driver compatibility issues with suggested fixes -- Data driven application rationalization tools -- Application usage information, allowing targeted validation; workflow to track validation progress and decisions -- Data export to commonly used software deployment tools - -The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. - -## How is diagnostic data handled by Microsoft? - -### Data collection - -Windows 10 and Windows Server 2016 includes the Connected User Experiences and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores diagnostic data events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology. - -1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces. -2. Events are gathered using public operating system event logging and tracing APIs. -3. You can configure the diagnostic data level by using MDM policy, Group Policy, or registry settings. -4. The Connected User Experiences and Telemetry component transmits the diagnostic data. - -Info collected at the Enhanced and Full levels of diagnostic data is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels. - -### Data transmission - -All diagnostic data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks. - -The data transmitted at the Basic and Enhanced data diagnostic levels is quite small; typically less than 1 MB per device per day, but occasionally up to 2 MB per device per day). - - -### Endpoints - -The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access. - -The following table defines the endpoints for Connected User Experiences and Telemetry component: - -Windows release | Endpoint ---- | --- -Windows 10, versions 1703 and 1709 | Diagnostics data: v10.vortex-win.data.microsoft.com/collect/v1

Functional: v20.vortex-win.data.microsoft.com/collect/v1
Windows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com/collect/v1
settings-win.data.microsoft.com -Windows 10, version 1607 | v10.vortex-win.data.microsoft.com

settings-win.data.microsoft.com - -The following table defines the endpoints for other diagnostic data services: - -| Service | Endpoint | -| - | - | -| [Windows Error Reporting](https://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com | -| [Online Crash Analysis](https://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com | -| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 | - -### Data use and access - -The principle of least privileged access guides access to diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management. - -### Retention - -Microsoft believes in and practices information minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Microsoft Store purchase history. - -## Diagnostic data levels -This section explains the different diagnostic data levels in Windows 10, Windows Server 2016, and System Center. These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. - -The diagnostic data is categorized into four levels: - -- **Security**. Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. - -- **Basic**. Basic device info, including: quality-related data, app compatibility, and data from the **Security** level. - -- **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels. - -- **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels. - -The levels are cumulative and are illustrated in the following diagram. Also, these levels apply to all editions of Windows Server 2016. - -![breakdown of diagnostic data levels and types of administrative controls](images/priv-telemetry-levels.png) - -### Security level - -The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions. - -> [!NOTE] -> If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates. - -Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data about Windows Server features or System Center gathered. - -The data gathered at this level includes: - -- **Connected User Experiences and Telemetry component settings**. If general diagnostic data has been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User Experiences and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop). - -- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address. - - > [!NOTE] - > You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716). - -- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address. - - > [!NOTE] - > This reporting can be turned off and no information is included if a customer is using third-party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender). - - Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates. - -For servers with default diagnostic data settings and no Internet connectivity, you should set the diagnostic data level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity. - -No user content, such as user files or communications, is gathered at the **Security** diagnostic data level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time. - -### Basic level - -The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experiences and Telemetry component does not gather diagnostic data about System Center, but it can transmit diagnostic data for other non-Windows applications if they have user consent. - -The normal upload range for the Basic diagnostic data level is between 109 KB - 159 KB per day, per device. - -The data gathered at this level includes: - -- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 in the ecosystem. Examples include: - - - Device attributes, such as camera resolution and display type - - - Internet Explorer version - - - Battery attributes, such as capacity and type - - - Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number - - - Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware - - - Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system - - - Operating system attributes, such as Windows edition and virtualization state - - - Storage attributes, such as number of drives, type, and size - -- **Connected User Experiences and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experiences and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time. - -- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app. - -- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems. - - - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage. - - - **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade. - - - **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS. - - - **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system. - - - **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements. - -- **Microsoft Store**. Provides information about how the Microsoft Store performs, including app downloads, installations, and updates. It also includes Microsoft Store launches, page views, suspend and resumes, and obtaining licenses. - - -### Enhanced level - -The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements. - -This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues. - -The normal upload range for the Enhanced diagnostic data level is between 239 KB - 348 KB per day, per device. - -The data gathered at this level includes: - -- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components. - -- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge. - -- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events. - -- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps. - -If the Connected User Experiences and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experiences and Telemetry component at the **Enhanced** diagnostic data level will only gather data about the events associated with the specific issue. - -#### Limit Enhanced diagnostic data to the minimum required by Windows Analytics -Windows Analytics Device Health reports are powered by diagnostic data not included in the **Basic** level, such as crash reports and certain operating system events. In the past, organizations sending **Enhanced** or **Full** level diagnostic data were able to participate in Device Health. However, organizations that required detailed event and field level documentation were unable to move from **Basic** to **Enhanced**. - -In Windows 10, version 1709, we introduce the **Limit Enhanced diagnostic data to the minimum required by Windows Analytics** feature. When enabled, this feature lets you send only the following subset of **Enhanced** level diagnostic data. For more info about Device Health, see the [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor) topic. - -- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) topic. - -- **Some crash dump types.** All crash dump types, except for heap and full dumps. - -**To turn on this behavior for devices** - -1. Set the diagnostic data level to **Enhanced**, using either Group Policy or MDM. - - a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Allow telemetry** setting to **2**. - - -OR- - - b. Using MDM, use the Policy CSP to set the **System/AllowTelemetry** value to **2**. - - -AND- - -2. Enable the **LimitEnhancedDiagnosticDataWindowsAnalytics** setting, using either Group Policy or MDM. - - a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data collection and Preview builds/Limit Enhanced diagnostic data to the minimum required by Windows Analytics** setting to **Enabled**. - - -OR- - - b. Using MDM, use the Policy CSP to set the **System/LimitEnhancedDiagnosticDataWindowsAnalytics** value to **1**. - -### Full level - -The **Full** level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels. This is the default level for Windows 10 Pro. - -Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level. - -If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** diagnostic data level and have exhibited the problem. - -However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information: - -- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe. - -- Ability to get registry keys. - -- All crash dump types, including heap dumps and full dumps. - -## Enterprise management - -Sharing diagnostic data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the diagnostic data level and managing specific components is the best option. - -Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic and Full. The Enhanced level will only be displayed as an option when Group Policy or Mobile Device Management (MDM) are invoked with this level. The Security level is not available. - -IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a diagnostic data level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016, the Security diagnostic data level is available when managing the policy. Setting the diagnostic data level through policy sets the upper boundary for the users’ choices. To disable user choice after setting the level with the policy, you will need to use the "Configure telemetry opt-in setting user interface" group policy. The remainder of this section describes how to use group policy to configure levels and settings interface. - - -### Manage your diagnostic data settings - -We do not recommend that you turn off diagnostic data in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center. - -> [!IMPORTANT] -> These diagnostic data levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experiences and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these diagnostic data levels. You should work with your app vendors to understand their diagnostic data policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of Office Telemetry](https://technet.microsoft.com/library/jj863580.aspx). - -You can turn on or turn off System Center diagnostic data gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center diagnostic data is turned on. However, setting the operating system diagnostic data level to **Basic** will turn off System Center diagnostic data, even if the System Center diagnostic data switch is turned on. - -The lowest diagnostic data setting level supported through management policies is **Security**. The lowest diagnostic data setting supported through the Settings UI is **Basic**. The default diagnostic data setting for Windows Server 2016 is **Enhanced**. - -### Configure the operating system diagnostic data level - -You can configure your operating system diagnostic data settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data on the device. - -Use the appropriate value in the table below when you configure the management policy. - -| Level | Data gathered | Value | -| - | - | - | -| Security | Security data only. | **0** | -| Basic | Security data, and basic system and quality data. | **1** | -| Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. | **2** | -| Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | **3** | - - > [!NOTE] - > When the User Configuration policy is set for Diagnostic Data, this will override the Computer Configuration setting. - -### Use Group Policy to set the diagnostic data level - -Use a Group Policy object to set your organization’s diagnostic data level. - -1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**. - -2. Double-click **Allow Telemetry**. - -3. In the **Options** box, select the level that you want to configure, and then click **OK**. - -### Use MDM to set the diagnostic data level - -Use the [Policy Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy. - -### Use Registry Editor to set the diagnostic data level - -Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting. - -1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection**. - -2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**. - -3. Type **AllowTelemetry**, and then press ENTER. - -4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.** - -5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization. - -### Configure System Center 2016 diagnostic data - -For System Center 2016 Technical Preview, you can turn off System Center diagnostic data by following these steps: - -- Turn off diagnostic data by using the System Center UI Console settings workspace. - -- For information about turning off diagnostic data for Service Management Automation and Service Provider Foundation, see [How to disable telemetry for Service Management Automation and Service Provider Foundation](https://support.microsoft.com/kb/3096505). - -### Additional diagnostic data controls - -There are a few more settings that you can turn off that may send diagnostic data information: - -- To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](https://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/). - -- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**. - -- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716). - -- Turn off **Linguistic Data Collection** in **Settings** > **Privacy**. At diagnostic data levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary. - - > [!NOTE] - > Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information. - -## Additional resources - -FAQs - -- [Cortana, Search, and privacy](https://privacy.microsoft.com/windows-10-cortana-and-privacy) -- [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy) -- [Windows 10 camera and privacy](https://privacy.microsoft.com/windows-10-camera-and-privacy) -- [Windows 10 location service and privacy](https://privacy.microsoft.com/windows-10-location-and-privacy) -- [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy) -- [Windows 10 speech, inking, typing, and privacy](https://privacy.microsoft.com/windows-10-speech-inking-typing-and-privacy-faq) -- [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy) -- [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense) -- [Windows Update Delivery Optimization](https://privacy.microsoft.com/windows-10-windows-update-delivery-optimization) - -Blogs - -- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10) - -Privacy Statement - -- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) - -TechNet - -- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) - -Web Pages - -- [Privacy at Microsoft](https://privacy.microsoft.com) - - +--- +description: Use this article to make informed decisions about how you can configure diagnostic data in your organization. +title: Configure Windows diagnostic data in your organization (Windows 10) +keywords: privacy +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: high +author: brianlic-msft +ms.date: 04/04/2018 +--- + +# Configure Windows diagnostic data in your organization + +**Applies to** + +- Windows 10 Enterprise +- Windows 10 Mobile +- Windows Server + +At Microsoft, we use Windows diagnostic data to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Diagnostic data gives users a voice in the operating system’s development. This guide describes the importance of Windows diagnostic data and how we protect that data. Additionally, it differentiates between diagnostic data and functional data. It also describes the diagnostic data levels that Windows supports. Of course, you can choose how much diagnostic data is shared with Microsoft, and this guide demonstrates how. + +To frame a discussion about diagnostic data, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows diagnostic data system in the following ways: + +- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools. +- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions. +- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection. +- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right. +- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting. +- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers. + +This article applies to Windows and Windows Server diagnostic data only. Other Microsoft or third-party apps, such as System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager, might send data to their cloud services in ways that are inconsistent with this guide. Their publishers are responsible for notifying users of their privacy policies, diagnostic data controls, and so on. This article describes the types of diagnostic data we may gather, the ways you might manage it in your organization, and some examples of how diagnostic data can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers. + +Use this article to make informed decisions about how you might configure diagnostic data in your organization. Diagnostic data is a term that means different things to different people and organizations. For this article, we discuss diagnostic data as system data that is uploaded by the Connected User Experiences and Telemetry component. The diagnostic data is used to help keep Windows devices secure by identifying malware trends and other threats and to help Microsoft improve the quality of Windows and Microsoft services. + +We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. + +## Overview + +In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM. + +For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization. + +## Understanding Windows diagnostic data + +Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us. + +The release cadence of Windows may be fast, so feedback is critical to its success. We rely on diagnostic data at each stage of the process to inform our decisions and prioritize our efforts. + +### What is Windows diagnostic data? +Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways: + +- Keep Windows up to date +- Keep Windows secure, reliable, and performant +- Improve Windows – through the aggregate analysis of the use of Windows +- Personalize Windows engagement surfaces + +Here are some specific examples of Windows diagnostic data: + +- Type of hardware being used +- Applications installed and usage details +- Reliability information on device drivers + +### What is NOT diagnostic data? + +Diagnostic data can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not diagnostic data. For example, exchanging a user’s location for local weather or news is not an example of diagnostic data—it is functional data that the app or service requires to satisfy the user’s request. + +There are subtle differences between diagnostic data and functional data. Windows collects and sends diagnostic data in the background automatically. You can control how much information is gathered by setting the diagnostic data level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data. + +If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services). + +The following are specific examples of functional data: + +- Current location for weather +- Bing searches +- Wallpaper and desktop settings synced across multiple devices + +### Diagnostic data gives users a voice + +Windows and Windows Server diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server 2016 behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits. + +### Drive higher app and driver quality + +Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues. + +#### Real-world example of how Windows diagnostic data helps +There was a version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls. + +### Improve end-user productivity + +Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are: + +- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time. +- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance. +- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature. + +**These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.** + + +### Insights into your own organization + +Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). + +#### Upgrade Readiness + +Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. + +To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis. + +With Windows diagnostic data enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft. + +Use Upgrade Readiness to get: + +- A visual workflow that guides you from pilot to production +- Detailed computer, driver, and application inventory +- Powerful computer level search and drill-downs +- Guidance and insights into application and driver compatibility issues with suggested fixes +- Data driven application rationalization tools +- Application usage information, allowing targeted validation; workflow to track validation progress and decisions +- Data export to commonly used software deployment tools + +The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. + +## How is diagnostic data handled by Microsoft? + +### Data collection + +Windows 10 and Windows Server 2016 includes the Connected User Experiences and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores diagnostic data events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology. + +1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces. +2. Events are gathered using public operating system event logging and tracing APIs. +3. You can configure the diagnostic data level by using MDM policy, Group Policy, or registry settings. +4. The Connected User Experiences and Telemetry component transmits the diagnostic data. + +Info collected at the Enhanced and Full levels of diagnostic data is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels. + +### Data transmission + +All diagnostic data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks. + +The data transmitted at the Basic and Enhanced data diagnostic levels is quite small; typically less than 1 MB per device per day, but occasionally up to 2 MB per device per day). + + +### Endpoints + +The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access. + +The following table defines the endpoints for Connected User Experiences and Telemetry component: + +Windows release | Endpoint +--- | --- +Windows 10, versions 1703 and 1709 | Diagnostics data: v10.vortex-win.data.microsoft.com/collect/v1

Functional: v20.vortex-win.data.microsoft.com/collect/v1
Windows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com/collect/v1
settings-win.data.microsoft.com +Windows 10, version 1607 | v10.vortex-win.data.microsoft.com

settings-win.data.microsoft.com + +The following table defines the endpoints for other diagnostic data services: + +| Service | Endpoint | +| - | - | +| [Windows Error Reporting](https://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com | +| | ceuswatcab01.blob.core.windows.net | +| | ceuswatcab02.blob.core.windows.net | +| | eaus2watcab01.blob.core.windows.net | +| | eaus2watcab02.blob.core.windows.net | +| | weus2watcab01.blob.core.windows.net | +| | weus2watcab02.blob.core.windows.net | +| [Online Crash Analysis](https://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com | +| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 | + +### Data use and access + +The principle of least privileged access guides access to diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management. + +### Retention + +Microsoft believes in and practices information minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Microsoft Store purchase history. + +## Diagnostic data levels +This section explains the different diagnostic data levels in Windows 10, Windows Server 2016, and System Center. These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. + +The diagnostic data is categorized into four levels: + +- **Security**. Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. + +- **Basic**. Basic device info, including: quality-related data, app compatibility, and data from the **Security** level. + +- **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels. + +- **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels. + +The levels are cumulative and are illustrated in the following diagram. Also, these levels apply to all editions of Windows Server 2016. + +![breakdown of diagnostic data levels and types of administrative controls](images/priv-telemetry-levels.png) + +### Security level + +The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions. + +> [!NOTE] +> If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates. + +Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data about Windows Server features or System Center gathered. + +The data gathered at this level includes: + +- **Connected User Experiences and Telemetry component settings**. If general diagnostic data has been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User Experiences and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop). + +- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address. + + > [!NOTE] + > You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716). + +- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address. + + > [!NOTE] + > This reporting can be turned off and no information is included if a customer is using third-party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender). + + Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates. + +For servers with default diagnostic data settings and no Internet connectivity, you should set the diagnostic data level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity. + +No user content, such as user files or communications, is gathered at the **Security** diagnostic data level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time. + +### Basic level + +The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experiences and Telemetry component does not gather diagnostic data about System Center, but it can transmit diagnostic data for other non-Windows applications if they have user consent. + +The normal upload range for the Basic diagnostic data level is between 109 KB - 159 KB per day, per device. + +The data gathered at this level includes: + +- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 in the ecosystem. Examples include: + + - Device attributes, such as camera resolution and display type + + - Internet Explorer version + + - Battery attributes, such as capacity and type + + - Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number + + - Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware + + - Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system + + - Operating system attributes, such as Windows edition and virtualization state + + - Storage attributes, such as number of drives, type, and size + +- **Connected User Experiences and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experiences and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time. + +- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app. + +- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems. + + - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage. + + - **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade. + + - **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS. + + - **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system. + + - **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements. + +- **Microsoft Store**. Provides information about how the Microsoft Store performs, including app downloads, installations, and updates. It also includes Microsoft Store launches, page views, suspend and resumes, and obtaining licenses. + + +### Enhanced level + +The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements. + +This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues. + +The normal upload range for the Enhanced diagnostic data level is between 239 KB - 348 KB per day, per device. + +The data gathered at this level includes: + +- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components. + +- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge. + +- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events. + +- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps. + +If the Connected User Experiences and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experiences and Telemetry component at the **Enhanced** diagnostic data level will only gather data about the events associated with the specific issue. + +#### Limit Enhanced diagnostic data to the minimum required by Windows Analytics +Windows Analytics Device Health reports are powered by diagnostic data not included in the **Basic** level, such as crash reports and certain operating system events. In the past, organizations sending **Enhanced** or **Full** level diagnostic data were able to participate in Device Health. However, organizations that required detailed event and field level documentation were unable to move from **Basic** to **Enhanced**. + +In Windows 10, version 1709, we introduce the **Limit Enhanced diagnostic data to the minimum required by Windows Analytics** feature. When enabled, this feature lets you send only the following subset of **Enhanced** level diagnostic data. For more info about Device Health, see the [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor) topic. + +- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) topic. + +- **Some crash dump types.** All crash dump types, except for heap and full dumps. + +**To turn on this behavior for devices** + +1. Set the diagnostic data level to **Enhanced**, using either Group Policy or MDM. + + a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Allow telemetry** setting to **2**. + + -OR- + + b. Using MDM, use the Policy CSP to set the **System/AllowTelemetry** value to **2**. + + -AND- + +2. Enable the **LimitEnhancedDiagnosticDataWindowsAnalytics** setting, using either Group Policy or MDM. + + a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data collection and Preview builds/Limit Enhanced diagnostic data to the minimum required by Windows Analytics** setting to **Enabled**. + + -OR- + + b. Using MDM, use the Policy CSP to set the **System/LimitEnhancedDiagnosticDataWindowsAnalytics** value to **1**. + +### Full level + +The **Full** level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels. This is the default level for Windows 10 Pro. + +Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level. + +If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** diagnostic data level and have exhibited the problem. + +However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information: + +- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe. + +- Ability to get registry keys. + +- All crash dump types, including heap dumps and full dumps. + +## Enterprise management + +Sharing diagnostic data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the diagnostic data level and managing specific components is the best option. + +Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic and Full. The Enhanced level will only be displayed as an option when Group Policy or Mobile Device Management (MDM) are invoked with this level. The Security level is not available. + +IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a diagnostic data level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016, the Security diagnostic data level is available when managing the policy. Setting the diagnostic data level through policy sets the upper boundary for the users’ choices. To disable user choice after setting the level with the policy, you will need to use the "Configure telemetry opt-in setting user interface" group policy. The remainder of this section describes how to use group policy to configure levels and settings interface. + + +### Manage your diagnostic data settings + +We do not recommend that you turn off diagnostic data in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center. + +> [!IMPORTANT] +> These diagnostic data levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experiences and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these diagnostic data levels. You should work with your app vendors to understand their diagnostic data policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of Office Telemetry](https://technet.microsoft.com/library/jj863580.aspx). + +You can turn on or turn off System Center diagnostic data gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center diagnostic data is turned on. However, setting the operating system diagnostic data level to **Basic** will turn off System Center diagnostic data, even if the System Center diagnostic data switch is turned on. + +The lowest diagnostic data setting level supported through management policies is **Security**. The lowest diagnostic data setting supported through the Settings UI is **Basic**. The default diagnostic data setting for Windows Server 2016 is **Enhanced**. + +### Configure the operating system diagnostic data level + +You can configure your operating system diagnostic data settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data on the device. + +Use the appropriate value in the table below when you configure the management policy. + +| Level | Data gathered | Value | +| - | - | - | +| Security | Security data only. | **0** | +| Basic | Security data, and basic system and quality data. | **1** | +| Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. | **2** | +| Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | **3** | + + > [!NOTE] + > When the User Configuration policy is set for Diagnostic Data, this will override the Computer Configuration setting. + +### Use Group Policy to set the diagnostic data level + +Use a Group Policy object to set your organization’s diagnostic data level. + +1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**. + +2. Double-click **Allow Telemetry**. + +3. In the **Options** box, select the level that you want to configure, and then click **OK**. + +### Use MDM to set the diagnostic data level + +Use the [Policy Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy. + +### Use Registry Editor to set the diagnostic data level + +Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting. + +1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection**. + +2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**. + +3. Type **AllowTelemetry**, and then press ENTER. + +4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.** + +5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization. + +### Configure System Center 2016 diagnostic data + +For System Center 2016 Technical Preview, you can turn off System Center diagnostic data by following these steps: + +- Turn off diagnostic data by using the System Center UI Console settings workspace. + +- For information about turning off diagnostic data for Service Management Automation and Service Provider Foundation, see [How to disable telemetry for Service Management Automation and Service Provider Foundation](https://support.microsoft.com/kb/3096505). + +### Additional diagnostic data controls + +There are a few more settings that you can turn off that may send diagnostic data information: + +- To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](https://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/). + +- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**. + +- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716). + +- Turn off **Linguistic Data Collection** in **Settings** > **Privacy**. At diagnostic data levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary. + + > [!NOTE] + > Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information. + +## Additional resources + +FAQs + +- [Cortana, Search, and privacy](https://privacy.microsoft.com/windows-10-cortana-and-privacy) +- [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy) +- [Windows 10 camera and privacy](https://privacy.microsoft.com/windows-10-camera-and-privacy) +- [Windows 10 location service and privacy](https://privacy.microsoft.com/windows-10-location-and-privacy) +- [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy) +- [Windows 10 speech, inking, typing, and privacy](https://privacy.microsoft.com/windows-10-speech-inking-typing-and-privacy-faq) +- [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy) +- [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense) +- [Windows Update Delivery Optimization](https://privacy.microsoft.com/windows-10-windows-update-delivery-optimization) + +Blogs + +- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10) + +Privacy Statement + +- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) + +TechNet + +- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) + +Web Pages + +- [Privacy at Microsoft](https://privacy.microsoft.com) + + diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md index 3f4c11004e..8952d30367 100644 --- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md +++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md @@ -1,6 +1,6 @@ --- description: Use this article to learn more about the enhanced diagnostic data events used by Windows Analytics -title: Windows 10, version 1709 enhanced telemtry events and fields used by Windows Analytics (Windows 10) +title: Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics (Windows 10) keywords: privacy, diagnostic data ms.prod: w10 ms.mktglfcycl: manage @@ -8,8 +8,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high ms.date: 10/16/2017 -author: jaimeo -ms.author: jaimeo +author: danihalfin +ms.author: daniha --- @@ -57,6 +57,184 @@ The following fields are available: - **WriteCountAtExit_Sum:** Total number of IO writes for a process when it exited - **WriteSizeInKBAtExit_Sum:** Total size of IO writes for a process when it exited +## Microsoft.Office.TelemetryEngine.IsPreLaunch +Applicable for Office UWP applications. This event is fired when an office application is initiated for the first-time post upgrade/install from the store. This is part of basic diagnostic data, used to track whether a particular session is launch session or not. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **SessionID:** ID of the session + +## Microsoft.Office.SessionIdProvider.OfficeProcessSessionStart +This event sends basic information upon the start of a new Office session. This is used to count the number of unique sessions seen on a given device. This is used as a heartbeat event to ensure that the application is running on a device or not. In addition, it serves as a critical signal for overall application reliability. + +- **AppSessionGuid:** ID of the session which maps to the process of the application +- **processSessionId:** ID of the session which maps to the process of the application + +## Microsoft.Office.TelemetryEngine.SessionHandOff +Applicable to Win32 Office applications. This event helps us understand whether there was a new session created to handle a user-initiated file open event. It is a critical diagnostic information that is used to derive reliability signal and ensure that the application is working as expected. + +- **appVersionBuild:** Third part Build version of the application *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **childSessionID:** Id of the session that was created to handle the user initiated file open +- **parentSessionId:** ID of the session that was already running + +## Microsoft.Office.CorrelationMetadata.UTCCorrelationMetadata +Collects Office metadata through UTC to compare with equivalent data collected through the Office telemetry pipeline to check correctness and completeness of data. + +- **abConfigs:** List of features enabled for this session +- **abFlights:** List of features enabled for this session +- **AppSessionGuid:** ID of the session +- **appVersionBuild:** Third part Build version of the application *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRevision:** Fourth part of the version *.*.*.XXXXX +- **audienceGroup:** Is this part of the insiders or production +- **audienceId:** ID of the audience setting +- **channel:** Are you part of Semi annual channel or Semi annual channel-Targeted? +- **deviceClass:** Is this a desktop or a mobile? +- **impressionId:** What features were available to you in this session +- **languageTag:** Language of the app +- **officeUserID:** A unique identifier tied to the office installation on a particular device. +- **osArchitecture:** Is the machine 32 bit or 64 bit? +- **osEnvironment:** Is this a win32 app or a UWP app? +- **osVersionString:** Version of the OS +- **sessionID:** ID of the session + +## Microsoft.Office.ClickToRun.UpdateStatus +Applicable to all Win32 applications. Helps us understand the status of the update process of the office suite (Success or failure with error details). + +- **build:** App version +- **channel:** Is this part of SAC or SAC-T? +- **errorCode:** What error occurred during the upgrade process? +- **errorMessage:** what was the error message during the upgrade process? +- **status:** Was the upgrade successful or not? +- **targetBuild:** What app version were we trying to upgrade to? + +## Microsoft.Office.TelemetryEngine.FirstIdle +This event is fired when the telemetry engine within an office application is ready to send telemetry. Used for understanding whether there are issues in telemetry. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.FirstProcessed +This event is fired when the telemetry engine within an office application has processed the rules or the list of events that we need to collect. Used for understanding whether there are issues in telemetry. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.FirstRuleRequest +This event is fired when the telemetry engine within an office application has received the first rule or list of events that need to be sent by the app. Used for understanding whether there are issues in telemetry. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.Init +This event is fired when the telemetry engine within an office application has been initialized or not. Used for understanding whether there are issues in telemetry. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.Resume +This event is fired when the application resumes from sleep state. Used for understanding whether there are issues in the application life-cycle. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **maxSequenceIdSeen:** How many events from this session have seen so far? +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed? +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.RuleRequestFailed +This event is fired when the telemetry engine within an office application fails to retrieve the rules containing the list of telemetry events. Used for understanding whether there are issues in telemetry. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.RuleRequestFailedDueToClientOffline +This event is fired when the telemetry engine within an office application fails to retrieve the rules containing the list of telemetry events, when the device is offline. Used for understanding whether there are issues in telemetry. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.ShutdownComplete +This event is fired when the telemetry engine within an office application has processed the rules or the list of events that we need to collect. Useful for understanding whether a particular crash is happening during an app-shutdown, and could potentially lead in data loss or not. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **maxSequenceIdSeen:** How many events from this session have seen so far? +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed? +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.ShutdownStart +This event is fired when the telemetry engine within an office application been uninitialized, and the application is shutting down. Useful for understanding whether a particular crash is happening during an app-shutdown, and could potentially lead in data loss or not. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed? +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.SuspendComplete +This event is fired when the telemetry engine within an office application has processed the rules or the list of events that we need to collect. Used for understanding whether there are issues in telemetry. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **maxSequenceIdSeen:** How many events from this session have seen so far? +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed? +- **SessionID:** ID of the session +- **SuspendType:** Type of suspend + +## Microsoft.Office.TelemetryEngine.SuspendStart +This event is fired when the office application suspends as per app life-cycle change. Used for understanding whether there are issues in the application life-cycle. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **maxSequenceIdSeen:** How many events from this session have seen so far? +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed? +- **SessionID:** ID of the session +- **SuspendType:** Type of suspend + ## Microsoft.OSG.OSS.CredProvFramework.ReportResultStop This event indicates the result of an attempt to authenticate a user with a credential provider. It helps Microsoft to improve logon reliability. Using this event with Windows Analytics can help organizations monitor and improve logon success for different methods (for example, biometric) on managed devices. @@ -251,7 +429,13 @@ The following fields are available: - **WindowHeight:** Number of vertical pixels in the application window - **WindowWidth:** Number of horizontal pixels in the application window -# Revisions to the diagnostic data events and fields +## Revisions -## PartA_UserSid removed -A previous revision of this list stated that a field named PartA_UserSid was a member of the event Microsoft.Windows.LogonController.LogonAndUnlockSubmit. This was incorrect. The list has been updated to reflect that no such field is present in the event. Note that you can use the Windows Diagnostic Data Viewer to review the contents of the event. +### PartA_UserSid removed +A previous revision of this list stated that a field named PartA_UserSid was a member of the event Microsoft.Windows.LogonController.LogonAndUnlockSubmit. This was incorrect. The list has been updated to reflect that no such field is present in the event. + +### Office events added +In Windows 10, version 1809 (also applies to versions 1709 and 1803 starting with [KB 4462932](https://support.microsoft.com/help/4462932/windows-10-update-kb4462932) and [KB 4462933](https://support.microsoft.com/help/4462933/windows-10-update-kb4462933) respectively), 16 events were added, describing Office app launch and availability. These events were added to improve the precision of Office data in Windows Analytics. + +>[!NOTE] +>You can use the Windows Diagnostic Data Viewer to observe and review events and their fields as described in this topic. diff --git a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md index b0ee83d6a3..72a79162f0 100644 --- a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md @@ -49,7 +49,6 @@ We used the following methodology to derive these network endpoints: | *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | | *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. | | .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | -| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | | 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | | 2.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | | arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | @@ -108,7 +107,13 @@ We used the following methodology to derive these network endpoints: | v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. | | wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | | wallet-frontend-prod-westus.cloudapp.net | TLSv1.2 | Used by the Microsoft Wallet app. | -| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | | wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. | | wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. | | www.bing.com | HTTP | Used for updates for Cortana, apps, and Live Tiles. | @@ -192,12 +197,17 @@ We used the following methodology to derive these network endpoints: | storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | | store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | | store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | -| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | | tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | | tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | | v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. | | wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | -| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | | wdcp.microsoft.akadns.net | HTTPS | Used for Windows Defender when Cloud-based Protection is enabled. | | wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. | | www.bing.com | TLSv1.2 | Used for updates for Cortana, apps, and Live Tiles. | @@ -265,9 +275,15 @@ We used the following methodology to derive these network endpoints: | sls.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | | store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | | tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | -| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | | tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. | | wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | -| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | + | wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. | | www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | \ No newline at end of file diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index a48a31d0b7..3145f56988 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -435,6 +435,8 @@ ### [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) +### [Use attack surface reduction rules in Windows 10 Enterprise E3](windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md) + ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) diff --git a/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md index 2d717ef457..ae04f96b3d 100644 --- a/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +ms.date: 10/29/2018 --- @@ -19,7 +19,6 @@ ms.date: 09/03/2018 **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prereleaseinformation](prerelease.md)] 1. In the navigation pane, select **Advanced hunting**. diff --git a/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md index 55ddba1528..f94250c812 100644 --- a/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +ms.date: 10/29/2018 --- # Managed security service provider support @@ -21,7 +21,7 @@ ms.date: 09/03/2018 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink) -[!include[Prereleaseinformation](prerelease.md)] + Security is recognized as a key component in running an enterprise, however some organizations might not have the capacity or expertise to have a dedicated security operations team to manage the security of their endpoints and network, others may want to have a second set of eyes to review alerts in their network. diff --git a/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md index 64bf36aac0..40d4dc50bc 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +ms.date: 10/29/2018 --- @@ -19,7 +19,6 @@ ms.date: 09/03/2018 **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prereleaseinformation](prerelease.md)] Alerts in Windows Defender ATP are surfaced through the system based on signals gathered from endpoints. With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md index 33048913ee..9a703bf22c 100644 --- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md @@ -39,22 +39,10 @@ Turn on the preview experience setting to be among the first to try upcoming fea ## Preview features The following features are included in the preview release: -- [Threat analytics](threat-analytics.md)
-Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. - - [Incidents](incidents-queue.md)
Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network. -- [Custom detection](overview-custom-detections.md)
- With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. - - -- [Managed security service provider (MSSP) support](mssp-support-windows-defender-advanced-threat-protection.md)
-Windows Defender ATP adds support for this scenario by providing MSSP integration. -The integration will allow MSSPs to take the following actions: -Get access to MSSP customer's Windows Defender Security Center portal, fet email notifications, and fetch alerts through security information and event management (SIEM) tools. - - [Integration with Azure Security Center](configure-server-endpoints-windows-defender-advanced-threat-protection.md#integration-with-azure-security-center)
Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. diff --git a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md index 1ca8dbce8e..36ff48cd5d 100644 --- a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.sitesec: library ms.pagetype: security author: mjcaparas ms.localizationpriority: medium -ms.date: 04/24/2018 +ms.date: 10/26/2018 --- # Configure the security controls in Secure score @@ -175,6 +175,10 @@ For more information, see [Windows Defender Application Guard overview](../windo ### Windows Defender SmartScreen optimization For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender SmartScreen is fulfilled. +>[!WARNING] +> Data collected by Windows Defender SmartScreen might be stored and processed outside of the storage location you have selected for your Windows Defender ATP data. + + >[!IMPORTANT] >This security control is only applicable for machines with Windows 10, version 1709 or later. diff --git a/windows/security/threat-protection/windows-defender-atp/threat-analytics.md b/windows/security/threat-protection/windows-defender-atp/threat-analytics.md index 3bde0d0f86..bfd50a15cf 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-analytics.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-analytics.md @@ -11,14 +11,13 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +ms.date: 10/29/2018 --- # Threat analytics **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prereleaseinformation](prerelease.md)] Cyberthreats are emerging more frequently and prevalently. It is critical for organizations to be able to quickly assess their security posture, including impact, and organizational resilience in the context of specific emerging threats. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index c7835b34b7..b3f2bb7cac 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/17/2018 +ms.date: 10/15/2018 --- # Reduce attack surfaces with attack surface reduction rules @@ -20,27 +20,24 @@ ms.date: 10/17/2018 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. +Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature is part of Windows Defender Advanced Threat Protection and provides: -Attack surface reduction rules work best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. +- Rules you can set to enable or disable specific behaviors that are typically used by malware and malicious apps to infect machines, such as: + - Executable files and scripts used in Office apps or web mail that attempt to download or run files + - Scripts that are obfuscated or otherwise suspicious + - Behaviors that apps undertake that are not usually initiated during normal day-to-day work +- Centralized monitoring and reporting with deep optics that help you connect the dots across events, computers and devices, and networks +- Analytics to enable ease of deployment, by using [audit mode](audit-windows-defender-exploit-guard.md) to show how attack surface reduction rules would impact your organization if they were enabled -Attack surface reduction rules each target specific behaviors that are typically used by malware and malicious apps to infect machines, such as: - -- Executable files and scripts used in Office apps or web mail that attempt to download or run files -- Scripts that are obfuscated or otherwise suspicious -- Behaviors that apps undertake that are not usually initiated during normal day-to-day work - -When a rule is triggered, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. - -You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. +When an attack surface reduction rule is triggered, a notification displays from the Action Center on the user's computer. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. ## Requirements -Attack surface reduction rules require Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md). +Attack surface reduction rules are a feature of Windows Defender ATP and require Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md). ## Attack surface reduction rules -The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table: +The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table. Rule name | GUID -|- @@ -56,7 +53,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block only Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c The rules apply to the following Office apps: @@ -70,7 +67,6 @@ The rules do not apply to any other Office apps. ### Rule: Block executable content from email client and webmail - This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com): - Executable files (such as .exe, .dll, or .scr) @@ -92,15 +88,12 @@ This rule targets typical behaviors used by suspicious and malicious add-ons and Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features. - ### Rule: Block Office applications from injecting code into other processes - Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. - >[!IMPORTANT] >[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). @@ -110,7 +103,6 @@ JavaScript and VBScript scripts can be used by malware to launch other malicious This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines. - >[!IMPORTANT] >[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). @@ -120,6 +112,8 @@ Malware and other threats can attempt to obfuscate or hide their malicious code This rule prevents scripts that appear to be obfuscated from running. +It uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script, or blocks scripts when an attempt is made to access them. + ### Rule: Block Win32 API calls from Office macro Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system. @@ -133,14 +127,14 @@ This rule blocks the following file types from being run or launched unless they - Executable files (such as .exe, .dll, or .scr) >[!NOTE] ->You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. +>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. ### Rule: Use advanced protection against ransomware This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list. >[!NOTE] ->You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. +>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. ### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe) @@ -166,7 +160,7 @@ With this rule, admins can prevent unsigned or untrusted executable files from r - Executable files (such as .exe, .dll, or .scr) - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) -### Rule: Block Office communication applications from creating child processes +### Rule: Block only Office communication applications from creating child processes Office communication apps will not be allowed to create child processes. This includes Outlook. @@ -176,23 +170,29 @@ This is a typical malware behavior, especially for macro-based attacks that atte This rule blocks Adobe Reader from creating child processes. +## Review attack surface reduction rule events in the Windows Defender ATP Security Center + +Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). + +You can query Windows Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how attack surface reduction rules would affect your environment if they were enabled. + ## Review attack surface reduction rule events in Windows Event Viewer You can review the Windows event log to see events that are created when an attack surface reduction rule is triggered (or audited): 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine. -1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. +2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. -2. On the left panel, under **Actions**, click **Import custom view...** +3. On the left panel, under **Actions**, click **Import custom view...** ![Animation showing the import custom view on the Event viewer window](images/events-import.gif) -3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). +4. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). -4. Click **OK**. +5. Click **OK**. -5. This will create a custom view that filters to only show the following events related to attack surface reduction rules: +6. This will create a custom view that filters to only show the following events related to attack surface reduction rules: Event ID | Description -|- @@ -200,8 +200,6 @@ You can review the Windows event log to see events that are created when an atta 1122 | Event when rule fires in Audit-mode 1121 | Event when rule fires in Block-mode - - ### Event fields - **ID**: matches with the Rule-ID that triggered the block/audit. @@ -209,6 +207,9 @@ You can review the Windows event log to see events that are created when an atta - **Process Name**: The process that performed the "operation" that was blocked/audited - **Description**: Additional details about the event or audit, including the signature, engine, and product version of Windows Defender Antivirus +## Attack surface reduction rules in Windows 10 Enterprise E3 + +A subset of attack surface reduction rules are also available on Windows 10 Enterprise E3 without the benefit of centralized monitoring, reporting, and analytics. For more information, see [Use attack surface reduction rules in Windows 10 Enterprise E3](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3). ## In this section diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md new file mode 100644 index 0000000000..4cc8fbd9f5 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md @@ -0,0 +1,51 @@ +--- +title: Use attack surface reduction rules in Windows 10 Enterprise E3 +description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware +keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 10/15/2018 +--- + +# Use attack surface reduction rules in Windows 10 Enterprise E3 + +**Applies to:** + +- Windows 10 Enterprise E3 + +Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature area includes the rules, monitoring, reporting, and analytics necessary for deployment that are included in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), and require the Windows 10 Enterprise E5 license. + +A limited subset of basic attack surface reduction rules can technically be used with Windows 10 Enterprise E3. They can be used without the benefits of reporting, monitoring, and analytics, which provide the ease of deployment and management capabilities necessary for enterprises. + +Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. + +The limited subset of rules that can be used in Windows 10 Enterprise E3 include: + +- Block executable content from email client and webmail +- Block all Office applications from creating child processes +- Block Office applications from creating executable content +- Block Office applications from injecting code into other processes +- Block JavaScript or VBScript from launching downloaded executable content +- Block execution of potentially obfuscated scripts +- Block Win32 API calls from Office macro +- Use advanced protection against ransomware +- Block credential stealing from the Windows local security authority subsystem (lsass.exe) +- Block process creations originating from PSExec and WMI commands +- Block untrusted and unsigned processes that run from USB + +For more information about these rules, see [Reduce attack surfaces with attack surface reduction rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard). + + ## Related topics + +Topic | Description +---|--- +[Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how attack surface reduction rules work, and what events would typically be created. +[Enable attack surface reduction rules](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage attack surface reduction rules in your network. +[Customize attack surface reduction rules](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by attack surface reduction rules and customize the notification that appears on a user's machine when a rule blocks an app or file. \ No newline at end of file