Merged PR 12448: 10/29 PM Publish

2025-05-14 22:37:22 +00:00 · 2018-10-29 22:29:20 +00:00 · 2018-10-29 22:29:20 +00:00 · 809ebb897d
commit 809ebb897d
parent 839ce80ef8 6254ea4511
34 changed files with 1718 additions and 533 deletions
--- a/windows/client-management/TOC.md
+++ b/windows/client-management/TOC.md
@ -11,5 +11,9 @@
 ## [Transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md)
 ## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)
 ## [Windows libraries](windows-libraries.md)
 ## [Troubleshoot Windows 10 clients](windows-10-support-solutions.md)
 ### [Data collection for troubleshooting 802.1x Authentication](data-collection-for-802-authentication.md)
 ### [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md)
 ### [Advanced troubleshooting Wireless Network Connectivity](advanced-troubleshooting-wireless-network-connectivity.md)
 ## [Mobile device management for solution providers](mdm/index.md)
 ## [Change history for Client management](change-history-for-client-management.md)
--- a/windows/client-management/advanced-troubleshooting-802-authentication.md
+++ b/windows/client-management/advanced-troubleshooting-802-authentication.md
@ -0,0 +1,87 @@
 ---
 title: Advanced Troubleshooting 802.1x Authentication
 description: Learn how 802.1x Authentication works
 keywords: advanced troubleshooting, 802.1x authentication, troubleshooting, authentication, Wi-Fi
 ms.prod: w10
 ms.mktglfcycl:
 ms.sitesec: library
 author: mikeblodge
 ms.localizationpriority: medium
 ms.author: mikeblodge
 ms.date: 10/29/2018
 ---
 # Advanced Troubleshooting 802.1x Authentication
 ## Overview
 This is a general troubleshooting of 802.1x wireless and wired clients. With 
 802.1x and Wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make Access Points or Switches, it won't be an end-to-end Microsoft solution.
 ### Scenarios
 This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 - 10 for clients, and Windows Server 2008 R2 - 2012 R2 for NPS.
 ### Known Issues
 N/A
 ### Data Collection
 Markdown - Advanced Troubleshooting 802.1x Authentication Data Collection
 ### Troubleshooting
 - Viewing the NPS events in the Windows Security Event log is one of the most useful troubleshooting methods to obtain information about failed authentications.
 NPS event log entries contain information on the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. NPS event logging for rejected or accepted connection is enabled by default.
 Check Windows Security Event log on the NPS Server for NPS events corresponding to rejected (event ID 6273) or accepted (event ID 6272) connection attempts.
 In the event message, scroll to the very bottom, and check the **Reason Code** field and the text associated with it.
 ![example of an audit failure](images/auditfailure.png)
 *Example: event ID 6273 (Audit Failure)*
 ‎
 ![example of an audit success](images/auditsuccess.png)
 *Example: event ID 6272 (Audit Success)*
 ‎ 
 - The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, Wired AutoConfig operational log is equivalent one.
 On client side, navigate to the Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational for wireless issue (for wired network access, ..\Wired-AutoConfig/Operational).
 ![event viewer screenshot showing wired-autoconfig and WLAN autoconfig](images/eventviewer.png)
 - Most 802.1X authentication issues is due to problems with the certificate which is used for client or server authentication (e.g. invalid certificate, expiration, chain verification failure, revocation check failure, etc.). 
 First, make sure which type of EAP method is being used.
 ![eap authentication type comparison](images/comparisontable.png)
 - If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from EAP property menu. See figure below.
 ![Constraints tab of the secure wireless connections properties](images/eappropertymenu.png)
 - The CAPI2 event log will be useful for troubleshooting certificate-related issues.
 This log is not enabled by default. You can enable this log by navigating to the Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2 directory and expand it, then right-click on the Operational view and click the Enable Log menu.
 ![screenshot of event viewer](images/eventviewer.png)
 You can refer to this article about how to analyze CAPI2 event logs.
 [Troubleshooting PKI Problems on Windows Vista](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29)
 For detailed troubleshooting 802.1X authentication issues, it&#39;s important to understand 802.1X authentication process. The figure below is an example of wireless connection process with 802.1X authentication.
 ![aithenticatior flow chart](images/authenticator_flow_chart.png)
 - If you collect network packet capture on both a client and a NPS side, you can see the flow like below. Type **EAPOL** in Display Filter menu in Network Monitor for a client side and **EAP** for a NPS side.
 > [!NOTE]
 > info not critical to a task If you also enable wireless scenario trace with network packet capture, you can see more detailed information on Network Monitor with **ONEX\_MicrosoftWindowsOneX** and **WLAN\_MicrosoftWindowsWLANAutoConfig** Network Monitor filtering applied.
 ![client-side packet capture data](images/clientsidepacket_cap_data.png)
 *Client-side packet capture data*
 ![NPS-side packet capture data](images/NPS_sidepacket_capture_data.png) 
 *NPS-side packet capture data*
 ‎ 
 ## Additional references
 [Troubleshooting Windows Vista 802.11 Wireless Connections](https://technet.microsoft.com/ja-jp/library/cc766215%28v=ws.10%29.aspx)
 [Troubleshooting Windows Vista Secure 802.3 Wired Connections](https://technet.microsoft.com/de-de/library/cc749352%28v=ws.10%29.aspx)
--- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
+++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
@ -0,0 +1,199 @@
 ---
 title: Advanced Troubleshooting Wireless Network Connectivity
 description: Learn how troubleshooting of establishing Wi-Fi connections
 keywords: troubleshooting, wireless network connectivity, wireless, Wi-Fi
 ms.prod: w10
 ms.mktglfcycl:
 ms.sitesec: library
 author: mikeblodge
 ms.localizationpriority: medium
 ms.author: mikeblodge
 ms.date: 10/29/2018
 ---
 # Advanced Troubleshooting Wireless Network Connectivity
 > [!NOTE]
 > Home users: This article is intended for use by support agents and IT professionals. If you're looking for more general information about Wi-Fi problems in Windows 10, check out this [Windows 10 Wi-Fi fix article](https://support.microsoft.com/en-in/help/4000432/windows-10-fix-wi-fi-problems).
 ## Overview
 This is a general troubleshooting of establishing Wi-Fi connections from Windows Clients.
 Troubleshooting Wi-Fi connections requires understanding the basic flow of the Wi-Fi autoconnect state machine. Understanding this flow makes it easier to determine the starting point in a repro scenario in which a different behavior is found.
 This workflow involves knowledge and use of [TextAnalysisTool](https://github.com/TextAnalysisTool/Releases), an extensive text filtering tool that is useful with complex traces with numerous ETW providers such as wireless_dbg trace scenario.
 ## Scenarios
 Any scenario in which Wi-Fi connections are attempted and fail to establish. The troubleshooter is developed with Windows 10 clients in focus, but also may be useful with traces as far back as Windows 7.
 > [!NOTE]
 > This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component ETW. It is not meant to be representative of every wireless problem scenario.
 Wireless ETW is incredibly verbose and calls out lots of innocuous errors (i.e. Not really errors so much as behaviors that are flagged and have nothing to do with the problem scenario). Simply searching for or filtering on "err", "error", and "fail" will seldom lead you to the root cause of a problematic Wi-Fi scenario. Instead it will flood the screen with meaningless logs that will obfuscate the context of the actual problem.
 It is important to understand the different Wi-Fi components involved, their expected behaviors, and how the problem scenario deviates from those expected behaviors.
 The intention of this troubleshooter is to show how to find a starting point in the verbosity of wireless_dbg ETW and home in on the responsible component(s) causing the connection problem.
 ### Known Issues and fixes
 ** **
 | **OS version** | **Fixed in** |
 | --- | --- |
 | **Windows 10, version 1803** | [KB4284848](https://support.microsoft.com/help/4284848) |
 | **Windows 10, version 1709** | [KB4284822](https://support.microsoft.com/help/4284822) |
 | **Windows 10, version 1703** | [KB4338827](https://support.microsoft.com/help/4338827) |
 Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update-history webpage for your system:
 - [Windows 10 version 1803](https://support.microsoft.com/help/4099479)
 - [Windows 10 version 1709](https://support.microsoft.com/en-us/help/4043454)
 - [Windows 10 version 1703](https://support.microsoft.com/help/4018124)
 - [Windows 10 version 1607 and Windows Server 2016](https://support.microsoft.com/help/4000825)
 - [Windows 10 version 1511](https://support.microsoft.com/help/4000824)
 - [Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/4009470)
 - [Windows Server 2012](https://support.microsoft.com/help/4009471)
 - [Windows 7 SP1 and Windows Server 2008 R2 SP1](https://support.microsoft.com/help/40009469)
 ### Data Collection
 1. Network Capture with ETW. Use the following command:
    **netsh trace start wireless\_dbg capture=yes overwrite=yes maxsize=4096 tracefile=c:\tmp\wireless.etl**
 2. Reproduce the issue if:
    - There is a failure to establish connection, try to manually connect
    - It is intermittent but easily reproducible, try to manually connect until it fails. Include timestamps of each connection attempt (successes and failures)
    - Tue issue is intermittent but rare, netsh trace stop command needs to be triggered automatically (or at least alerted to admin quickly) to ensure trace doesn’t overwrite the repro data.
    - Intermittent connection drops trigger stop command on a script (ping or test network constantly until fail, then netsh trace stop).
 3. Run this command to stop the trace: **netsh trace stop**
 4. To convert the output file to text format: **netsh trace convert c:\tmp\wireless.etl**
 ### Troubleshooting
 The following is a high-level view of the main wifi components in Windows.
 ![Wi-Fi stack components](images/wifistackcomponents.png)
 The Windows Connection Manager (Wcmsvc) is closely associated with the UI controls (see taskbar icon) to connect to various networks including wireless. It accepts and processes input from the user and feeds it to the core wireless service (Wlansvc). The Wireless Autoconfig Service (Wlansvc) handles the core functions of wireless networks in windows:
 - Scanning for wireless networks in range
 - Managing connectivity of wireless networks
 The Media Specific Module (MSM) handles security aspects of connection being established.
 The Native Wifi stack consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc.
 Third-party wireless miniport drivers interface with the upper wireless stack to provide notifications to and receive commands from Windows.
 The wifi connection state machine has the following states:
 - Reset
 - Ihv_Configuring
 - Configuring
 - Associating
 - Authenticating
 - Roaming
 - Wait_For_Disconnected
 - Disconnected
 Standard wifi connections tend to transition between states such as:
 **Connecting**
 Reset --> Ihv_Configuring --> Configuring --> Associating --> Authenticating --> Connected
 **Disconnecting**
 Connected --> Roaming --> Wait_For_Disconnected --> Disconnected --> Reset
 - Filtering the ETW trace with the provided [TextAnalyisTool (TAT)](https://github.com/TextAnalysisTool/Releases) filter is an easy first step to determine where a failed connection setup is breaking down:
 Use the **FSM transition** trace filter to see the connection state machine.
 Example of a good connection setup:
 ```
 44676 [2]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset
 45473 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv\_Configuring
 45597 [3]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv\_Configuring to State: Configuring
 46085 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.710 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Configuring to State: Associating
 47393 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.879 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Associating to State: Authenticating
 49465 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Connected
 ```
 Example of a failed connection setup:
 ```
 44676 [2]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset
 45473 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv\_Configuring
 45597 [3]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv\_Configuring to State: Configuring
 46085 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.710 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Configuring to State: Associating
 47393 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.879 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Associating to State: Authenticating
 49465 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Roaming
 ```
 By identifying the state at which the connection fails, one can focus more specifically in the trace on logs just prior to the last known good state. Examining **[Microsoft-Windows-WLAN-AutoConfig]** logs just prior to the bad state change should show evidence of error. Often, however, the error is propagated up through other wireless components.
 In many cases the next component of interest will be the MSM, which lies just below Wlansvc.
 ![MSM details](images/msmdetails.png)
 The important components of the MSM include:
 - Security Manager (SecMgr) - handles all pre and post-connection security operations.
 - Authentication Engine (AuthMgr) – Manages 802.1x auth requests
 Each of these components has their own individual state machines which follow specific transitions.
 Enable the **FSM transition, SecMgr Transition,** and **AuthMgr Transition** filters in TextAnalysisTool for more detail.
 Continuing with the example above, the combined filters look like this:
 ```
 [2] 0C34.2FF0::08/28/17-13:24:28.693 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Reset to State: Ihv_Configuring
 [2] 0C34.2FF0::08/28/17-13:24:28.693 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Ihv_Configuring to State: Configuring
 [1] 0C34.2FE8::08/28/17-13:24:28.711 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Configuring to State: Associating
 [0] 0C34.275C::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition INACTIVE (1) --> ACTIVE (2)
 [0] 0C34.275C::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition ACTIVE (2) --> START AUTH (3)
 [4] 0EF8.0708::08/28/17-13:24:28.928 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition ENABLED  --> START_AUTH  
 [3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Associating to State: Authenticating
 [1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
 [4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition START_AUTH  --> AUTHENTICATING  
 [2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
 [2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
 [2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Authenticating to State: Roaming
 ```
 > [!NOTE]
 > In this line the SecMgr transition is suddenly deactivating. This transition is what eventually propagates to the main connection state machine and causes the Authenticating phase to devolve to Roaming state. As before, it makes sense to focus on tracing just prior to this SecMgr behavior to determine the reason for the deactivation.
 - Enabling the **Microsoft-Windows-WLAN-AutoConfig** filter will show more detail leading to the DEACTIVATE transition:
 ```
 [3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Associating to State: Authenticating
 [1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
 [4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition START_AUTH  --> AUTHENTICATING  
 [0]0EF8.2EF4::‎08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PHY_STATE_CHANGE  
 [0]0EF8.2EF4::08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Change radio state for interface = Intel(R) Centrino(R) Ultimate-N 6300 AGN :  PHY = 3, software state = on , hardware state = off ) 
 [0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PORT_DOWN  
 [0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]FSM Current state Authenticating , event Upcall_Port_Down  
 [0] 0EF8.1174:: 08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received IHV PORT DOWN, peer 0x186472F64FD2 
 [2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
 [2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
 [2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Authenticating to State: Roaming
 ```
 - The trail backwards reveals a Port Down notification. Port events indicate changes closer to the wireless hardware. The trail can be followed by continuing to see the origin of this indication.
 Below, the MSM is the native wifi stack (as seen in Figure 1). These are Windows native wifi drivers which talk to the wifi miniport driver(s). It is responsible for converting Wi-Fi (802.11) packets to 802.3 (Ethernet) so that TCPIP and other protocols and can use it.
 Enable trace filter for **[Microsoft-Windows-NWifi]:**
 ```
 [3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Associating to State: Authenticating
 [1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
 [4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x8A1514B62510 AuthMgr Transition START_AUTH  --> AUTHENTICATING  
 [0]0000.0000::‎08/28/17-13:24:29.127 [Microsoft-Windows-NWiFi]DisAssoc: 0x8A1514B62510 Reason: 0x4 
 [0]0EF8.2EF4::‎08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PHY_STATE_CHANGE  
 [0]0EF8.2EF4::08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Change radio state for interface = Intel(R) Centrino(R) Ultimate-N 6300 AGN :  PHY = 3, software state = on , hardware state = off ) 
 [0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PORT_DOWN  
 [0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]FSM Current state Authenticating , event Upcall_Port_Down  
 [0] 0EF8.1174:: 08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received IHV PORT DOWN, peer 0x186472F64FD2 
 [2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
 [2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
 [2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Authenticating to State: Roaming
 ```
 The port down event is occurring due to a Disassociate coming Access Point as an indication to deny the connection. This could be due to invalid credentials, connection parameters, loss of signal/roaming, and various other reasons for aborting a connection. The action here would be to examine the reason for the disassociate sent from the indicated AP MAC (8A:15:14:B6:25:10). This would be done by examining internal logging/tracing from MAC device.
 ### **Resources**
 ### [802.11 Wireless Tools and Settings](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755892(v%3dws.10))
 ### [Understanding 802.1X authentication for wireless networks](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759077%28v%3dws.10%29)
--- a/windows/client-management/data-collection-for-802-authentication.md
+++ b/windows/client-management/data-collection-for-802-authentication.md
@ -0,0 +1,551 @@
 ---
 title: Data Collection for Troubleshooting 802.1x Authentication
 description: Data needed for reviewing 802.1x Authentication issues
 keywords: troubleshooting, data collection, data, 802.1x authentication, authentication, data
 ms.prod: w10
 ms.mktglfcycl:
 ms.sitesec: library
 author: mikeblodge
 ms.localizationpriority: medium
 ms.author: mikeblodge
 ms.date: 10/29/2018
 ---
 # Data Collection for Troubleshooting 802.1x Authentication
 ## Steps to capture Wireless/Wired functionality logs
 1. Create C:\MSLOG on the client machine to store captured logs.
 2. Launch a command prompt as an administrator on the client machine, and run the following commands to start RAS trace log and Wireless/Wired scenario log:
 **On Windows 8.1, Windows 10 Wireless Client**
 ```dos
 netsh ras set tracing * enabled
 ```
 ```dos
 netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl
 ```
 **On Windows 7, Winodws 8 Wireless Client**
 ```dos
 netsh ras set tracing * enabled
 ```
 ```dos
 netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl
 ```
 **On Wired network client**
 ```dos
 netsh ras set tracing * enabled
 ```
 ```dos
 netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_cli.etl
 ```
 3. Run the followind command to enable CAPI2 logging:
 ```dos
 wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
 ```
 4. Create C:\MSLOG on the NPS to store captured logs.
 5. Launch a command prompt as an administrator on the NPS and run the following commands to start RAS trace log and Wireless/Wired scenario log:
 **On Windows Server 2012 R2, Windows Server 2016 Wireless network**
   ```dos
    netsh ras set tracing * enabled
   ```
   ```dos
    netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl
   ```
 **On Windows Server 2008 R2, Winodws Server 2012 Wireless network**
   ```dos
    netsh ras set tracing * enabled
   ```
   ```dos
    netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl
   ```
 **On wired network**
   ```dos
    netsh ras set tracing * enabled
   ```
   ```dos
    netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_nps.etl
   ```
 6. Run the followind command to enable CAPI2 logging:
  ```dos
    wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
  ```
 7. Run the following command from the command prompt on the client machine and start PSR to capture screen images:
 > [!NOTE]
 > When the mouse button is clicked, the cursor will blink in red while capturing a screen image.
   ```dos
    psr /start /output c:\MSLOG\%computername%\_psr.zip /maxsc 100
   ```
 8. Repro the issue.
 9. Run the following command on the client machine to stop the PSR capturing:
  ```dos
    psr /stop
  ```
 10. Run the following commands from the command prompt on the NPS.
 **Stopping RAS trace log and Wireless scenario log**
   ```dos
    netsh trace stop
   ```
   ```dos
    netsh ras set tracing * disabled
   ```
 **Disabling and copying CAPI2 log**
   ```dos
    wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false
   ```
   ```dos
    wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx
   ```
 11. Run the following commands from the prompt on the client machine.
 **Stopping RAS trace log and Wireless scenario log**
  ```dos
    netsh trace stop
   ```
   ```dos
    netsh ras set tracing * disabled
   ```
 **Disabling and copying CAPI2 log**
   ```dos
    wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false
   ```
   ```dos
    wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx
   ```
 12. Save the following logs on the client and the NPS.
 **Client**
 - C:\MSLOG\%computername%_psr.zip
 - C:\MSLOG\CAPI2_%COMPUTERNAME%.evtx
 - C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl
 - C:\MSLOG\%COMPUTERNAME%_wireless_cli.cab
 - All log files and folders in %Systemroot%\Tracing
 **NPS**
 - C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx
 - C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl (%COMPUTERNAME%_wired_nps.etl for wired scenario)
 - C:\MSLOG\%COMPUTERNAME%_wireless_nps.cab (%COMPUTERNAME%_wired_nps.cab for wired scenario)
 - All log files and folders in %Systemroot%\Tracing
 ### Steps to save environmental / configuration information
 **Client**
 1. Create C:\MSLOG to store captured logs.
 2. Launch a command prompt as an administrator.
 3. Run the following commands.
    - Environmental information and Group Policies application status
         ```dos                
            gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.htm
            msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt
            ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt
            route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt
         ```
 **Event logs**
 **Run the following command on Windows 8 and above **
 ```dos
 wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
 wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
 wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx
 ```
 ```dos
 wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
 wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
 wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
 wevtutil epl Microsoft-Windows-GroupPolicy/Operational C:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
 wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-WLAN-AutoConfig-Operational.evtx
 wevtutil epl "Microsoft-Windows-Wired-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-Wired-AutoConfig-Operational.evtx
 wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
 wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx
 ```
 **Certificates Store information**
 ```dos
 certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
 certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
 certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
 certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
 certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
 certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
 certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
 certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
 certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
 certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
 certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
 certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
 certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
 certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
 certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
 certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
 certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
 certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
 certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
 certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
 certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
 certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
 certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
 certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
 certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
 certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
 certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
 certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
 certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
 certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
 certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt
 ```
 **Wireless LAN Client information**
 ```dos
 netsh wlan show all > c:\MSLOG\%COMPUTERNAME%\_wlan\_show\_all.txt
 netsh wlan export profile folder=c:\MSLOG\
 ```
 **Wired LAN Client information**
 ```dos
 netsh lan show all > c:\MSLOG\%COMPUTERNAME%\_lan\_show\_all.txt
 netsh lan export profile folder=c:\MSLOG\
 ```
 4. Save the logs stored in C:\MSLOG.
 **NPS**
    1. Create C:\MSLOG to store captured logs.
    2. Launch a command prompt as an administrator.
    3. Run the following commands:
   **Environmental information and Group Policies application status**
   ```dos
   gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt
   msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt
   ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt
   route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt
   ```
 **Event logs**
 **Run the following 3 commands on Windows Server 2012 and above:**
 ```dos
 wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
 wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
 wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx
 ```
 ```dos
 wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
 wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
 wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
 wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
 wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
 wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx
 ```
 **Certificates store information**
 ```dos
 certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
 certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
 certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
 certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
 certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
 certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
 certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
 certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
 certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
 certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
 certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
 certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
 certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
 certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
 certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
 certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
 certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
 certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
 certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
 certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
 certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
 certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
 certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
 certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
 certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
 certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
 certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
 certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
 certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
 certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
 certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt
 ```
 **NPS configuration information**
 ```dos
 netsh nps show config > C:\MSLOG\%COMPUTERNAME%\_nps\_show\_config.txt
 netsh nps export filename=C:\MSLOG\%COMPUTERNAME%\_nps\_export.xml exportPSK=YES
 ```
 3. Take the following steps to save an NPS accounting log:
 4. Launch **Administrative tools** - **Network Policy Server**.
    - On the Network Policy Server administration tool, select **Accounting** in the left pane.
    - Click **Change Log File Properties** in the right pane.
    - Click the **Log File** tab, note the log file naming convention shown as *Name* and the log file location shown in the **Directory** box.
    - Copy the log file to C:\MSLOG.
    - Save the logs stored in C:\MSLOG.
 **Certificate Authority (CA)** *Optional*
 1. On a CA, launch a command prompt as an administrator.
 2. Create C:\MSLOG to store captured logs.
 3. Run the following commands:
 Environmental information and Group Policies application status
 ```dos
 gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt
 msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt
 ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt
 route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt
 ```
 **Event logs**
 **Run the following 3 lines on Windows 2012 and up:**
 ```dos
 wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
 wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
 wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx
 ```
 ```dos
 wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
 wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
 wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
 wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
 wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
 wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx
 ```
 **Certificates store information**
 ```dos
 certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
 certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
 certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
 certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
 certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
 certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
 certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
 certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
 certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
 certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
 certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
 certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
 certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
 certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
 certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
 certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
 certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
 certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
 certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
 certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
 certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
 certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
 certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
 certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
 certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
 certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
 certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
 certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
 certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
 certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
 certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt
 ```
 **CA configuration information**
 ```dos
 reg save HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.hiv
 reg export HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.txt
 reg save HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.hiv
 reg export HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.tx
 ```
 4. Copy the following files, if exist, to C:\MSLOG. %windir%\CAPolicy.inf
 5. Log on to a domain controller and create C:\MSLOG to store captured logs.
 6. Launch Windows PowerShell as an administrator.
 7. Run the following PowerShell commandlets
        \* Replace the domain name in ";.. ,DC=test,DC=local"; with appropriate domain name. The example shows commands for ";test.local"; domain.
 ```powershell
 Import-Module ActiveDirectory
 Get-ADObject -SearchBase ";CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"; -Filter \* -Properties \* | fl \* > C:\MSLOG\Get-ADObject\_$Env:COMPUTERNAME.txt
 ```
 8. Save the following logs:
 - All files in C:\MSLOG on the CA
 - All files in C:\MSLOG on the domain controller
--- a/windows/client-management/images/NPS_sidepacket_capture_data.png
+++ b/windows/client-management/images/NPS_sidepacket_capture_data.png
--- a/windows/client-management/images/auditfailure.png
+++ b/windows/client-management/images/auditfailure.png
--- a/windows/client-management/images/auditsuccess.png
+++ b/windows/client-management/images/auditsuccess.png
--- a/windows/client-management/images/authenticator_flow_chart.png
+++ b/windows/client-management/images/authenticator_flow_chart.png
--- a/windows/client-management/images/clientsidepacket_cap_data.png
+++ b/windows/client-management/images/clientsidepacket_cap_data.png
--- a/windows/client-management/images/comparisontable.png
+++ b/windows/client-management/images/comparisontable.png
--- a/windows/client-management/images/eappropertymenu.png
+++ b/windows/client-management/images/eappropertymenu.png
--- a/windows/client-management/images/eventviewer.png
+++ b/windows/client-management/images/eventviewer.png
--- a/windows/client-management/images/msmdetails.png
+++ b/windows/client-management/images/msmdetails.png
--- a/windows/client-management/images/wifi.txt
+++ b/windows/client-management/images/wifi.txt
@ -0,0 +1,31 @@
 <?xml version="1.0" encoding="utf-8" standalone="yes"?>
 <TextAnalysisTool.NET version="2018-01-03" showOnlyFilteredLines="False">
  <filters>
    <filter enabled="n" excluding="n" description="" foreColor="000000" backColor="d3d3d3" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-OneX]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Unknown]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-EapHost]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[]***" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-Winsock-AFD]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-WinHttp]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-WebIO]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-Winsock-NameResolution]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-TCPIP]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-DNS-Client]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-NlaSvc]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-Iphlpsvc-Trace]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-DHCPv6-Client]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-Dhcp-Client]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-NCSI]" />
    <filter enabled="y" excluding="n" description="" backColor="90ee90" type="matches_text" case_sensitive="n" regex="n" text="AuthMgr Transition" />
    <filter enabled="y" excluding="n" description="" foreColor="0000ff" backColor="add8e6" type="matches_text" case_sensitive="n" regex="n" text="FSM transition" />
    <filter enabled="y" excluding="n" description="" foreColor="000000" backColor="dda0dd" type="matches_text" case_sensitive="n" regex="n" text="SecMgr transition" />
    <filter enabled="y" excluding="n" description="" foreColor="000000" backColor="f08080" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-NWiFi]" />
    <filter enabled="y" excluding="n" description="" foreColor="000000" backColor="ffb6c1" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-WiFiNetworkManager]" />
    <filter enabled="y" excluding="n" description="" foreColor="000000" backColor="dda0dd" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-WLAN-AutoConfig]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-NetworkProfile]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-WFP]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-WinINet]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[MSNT_SystemTrace]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="Security]Capability" />
  </filters>
 </TextAnalysisTool.NET>
--- a/windows/client-management/images/wifistackcomponents.png
+++ b/windows/client-management/images/wifistackcomponents.png
--- a/windows/client-management/images/wiredautoconfig.png
+++ b/windows/client-management/images/wiredautoconfig.png
--- a/windows/deployment/update/waas-delivery-optimization-reference.txt
+++ b/windows/deployment/update/waas-delivery-optimization-reference.txt
@ -0,0 +1,23 @@
 ---
 title: Delivery Optimization reference
 description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10
 keywords: oms, operations management suite, wdav, updates, downloads, log analytics
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: JaimeO
 ms.localizationpriority: medium
 ms.author: jaimeo
 ms.date: 10/23/2018
 ---
 # Delivery Optimization reference
 **Applies to**
 - Windows 10
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
 There are a great many details you can set in Delivery Optimization to customize it to do just what you need it to. This topic summarizes them for your reference.
--- a/windows/deployment/update/waas-delivery-optimization-setup.md
+++ b/windows/deployment/update/waas-delivery-optimization-setup.md
@ -0,0 +1,42 @@
 ---
 title: Set up Delivery Optimization
 description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10
 keywords: oms, operations management suite, wdav, updates, downloads, log analytics
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: JaimeO
 ms.localizationpriority: medium
 ms.author: jaimeo
 ms.date: 10/23/2018
 ---
 # Set up Delivery Optimization for Windows 10 updates
 **Applies to**
 - Windows 10
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
 ## Plan to use Delivery Optimization
 general guidelines + “recommended policies” chart
 ## Implement Delivery Optimization
 [procedural-type material; go here, click this]
 ### Peer[?] topology (steps for setting up Group download mode)
 ### Hub and spoke topology (steps for setting up peer selection)
 ## Monitor Delivery Optimization
 how to tell if it’s working? What values are reasonable; which are not? If not, which way to adjust and how?
 ### Monitor w/ PS
 ### Monitor w/ Update Compliance
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@ -1,5 +1,5 @@
 ---
-title: Configure Delivery Optimization for Windows 10 updates (Windows 10)
+title: Delivery Optimization for Windows 10 updates (Windows 10)
 description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10
 keywords: oms, operations management suite, wdav, updates, downloads, log analytics
 ms.prod: w10
@ -8,10 +8,10 @@ ms.sitesec: library
 author: JaimeO
 ms.localizationpriority: medium
 ms.author: jaimeo
-ms.date: 04/30/2018
+ms.date: 10/23/2018
 ---
-# Configure Delivery Optimization for Windows 10 updates
+# Delivery Optimization for Windows 10 updates
 **Applies to**
@ -20,15 +20,14 @@ ms.date: 04/30/2018
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
-Windows updates, upgrades, and applications can contain packages with very large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. You can use Delivery Optimization in conjunction with stand-alone Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or System Center Configuration Manager when installation of Express Updates is enabled.  
+Delivery Optimization reduces the bandwidth needed to download Windows updates and applications by sharing the work of downloading these packages among multiple devices in your deployment. It does this by using a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers.
-Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimization cloud services is a requirement. This means that in order to use the peer-to-peer functionality of Delivery Optimization, devices must have access to the internet.
+You can use Delivery Optimization in conjunction with standalone Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or System Center Configuration Manager (when installation of Express Updates is enabled).  
 To take advantage of Delivery Optimization, you'll need the following:
->[!NOTE]
+- The devices being updated must have access to the internet.
->WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. 
+- The devices must be running at least these minimum versions:
 The following table lists the minimum Windows 10 version that supports Delivery Optimization:
 | Device type | Minimum Windows version |
 |------------------|---------------|
@ -37,10 +36,11 @@ The following table lists the minimum Windows 10 version that supports Delivery
 | IoT devices | 1803 |
 | HoloLens devices | 1803 |
 In Windows 10 Enterprise and Education editions, Delivery Optimization allows peer-to-peer sharing on the organization's own network only, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. These options are detailed in [Download mode](#download-mode).
-By default in Windows 10 Enterprise and Education editions, Delivery Optimization allows peer-to-peer sharing on the organization's own network only, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune.
+>[!NOTE]
 >WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. 
 For more details, see [Download mode](#download-mode).
 ## Delivery Optimization options
--- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
+++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: jaimeo
 ms.author: jaimeo
-ms.date: 08/21/2018
+ms.date: 10/29/2018
 ms.localizationpriority: medium
 ---
@ -33,10 +33,14 @@ If you've followed the steps in the [Enrolling devices in Windows Analytics](win
 [Upgrade Readiness shows many "Computers with outdated KB"](#upgrade-readiness-shows-many-computers-with-outdated-kb)
 [Upgrade Readiness shows many "Computers with incomplete data"](#upgrade-readiness-shows-many-computers-with-incomplete-data)
 [Upgrade Readiness doesn't show app inventory data on some devices](#upgrade-readiness-doesnt-show-app-inventory-data-on-some-devices)
 [Upgrade Readiness doesn't show IE site discovery data from some devices](#upgrade-readiness-doesnt-show-ie-site-discovery-data-from-some-devices)
 [Device names not appearing for Windows 10 devices](#device-names-not-appearing-for-windows-10-devices)
 [Disable Upgrade Readiness](#disable-upgrade-readiness)
 [Exporting large data sets](#exporting-large-data-sets)
@ -191,7 +195,7 @@ Finally, Upgrade Readiness only collects IE site discovery data on devices that
 >[!NOTE]
 > IE site discovery is disabled on devices running Windows 7 and Windows 8.1 that are in Switzerland and EU countries.
-### Device Names don't show up on Windows 10 devices
+### Device names not appearing for Windows 10 devices
 Starting with Windows 10, version 1803, the device name is no longer collected by default and requires a separate opt-in. For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
 ### Disable Upgrade Readiness
--- a/windows/deployment/update/windows-analytics-get-started.md
+++ b/windows/deployment/update/windows-analytics-get-started.md
@ -56,6 +56,12 @@ To enable data sharing, configure your proxy server to whitelist the following e
 | `https://login.live.com` | This endpoint is required by Device Health to ensure data integrity and provides a more reliable device identity for all of the Windows Analytics solutions on Windows 10. If you want to disable end-user managed service account (MSA) access, you should apply the appropriate [policy](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts#block-all-consumer-microsoft-account-user-authentication) instead of blocking this endpoint. |
 | `https://www.msftncsi.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. |
 | `https://www.msftconnecttest.com` | Windows Error Reporting (WER); required for Device Health to check connectivity.  |
 | `https://ceuswatcab01.blob.core.windows.net` | Windows Error Reporting (WER); required for uploading crash analytics.  |
 | `https://ceuswatcab02.blob.core.windows.net` | Windows Error Reporting (WER); required for uploading crash analytics.  |
 | `https://eaus2watcab01.blob.core.windows.net` | Windows Error Reporting (WER); required for uploading crash analytics.  |
 | `https://eaus2watcab02.blob.core.windows.net` | Windows Error Reporting (WER); required for uploading crash analytics.  |
 | `https://weus2watcab01.blob.core.windows.net` | Windows Error Reporting (WER); required for uploading crash analytics.  |
 | `https://weus2watcab02.blob.core.windows.net` | Windows Error Reporting (WER); required for uploading crash analytics.  |
 >[!NOTE]
--- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
+++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 author: jaimeo
-ms.date: 05/31/2018
+ms.date: 10/29/2018
 ---
 # Upgrade Readiness deployment script
@ -286,17 +286,6 @@ The deployment script displays the following exit codes to let you know if it wa
        <td>45 - Diagrack.dll was not found.</td>
        <td>Update the PC using Windows Update/Windows Server Update Services.</td>
    </tr>
 <tr>
        <td>46 - **DisableEnterpriseAuthProxy** property should be set to **1** for **ClientProxy=Telemetry** to work.</td>
        <td>Set the **DisableEnterpriseAuthProxy** registry property to **1** at key path <font size='1'>**HKLM:\SOFTWARE\Policies\Microsoft
 \Windows\DataCollection**</font>.</td>
    </tr>
 <tr>
        <td>47 - **TelemetryProxyServer** is not present in key path <font size='1'>**HKLM:\SOFTWARE\Policies\Microsoft
 \Windows\DataCollection**</font>.</td>
        <td>**ClientProxy** selected is **Telemetry**, but you need to add **TelemetryProxyServer** in key path <font size='1'>**HKLM:\SOFTWARE\Policies\Microsoft
 \Windows\DataCollection**</font>.</td>
    </tr>
 <tr>
        <td>48 - **CommercialID** mentioned in RunConfig.bat should be a GUID.</td>
        <td>**CommercialID** is mentioned in RunConfig.bat, but it is not a GUID. Copy the commercialID from your workspace. To find the commercialID, in the OMS portal click **Upgrade Readiness > Settings**.</td>
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@ -158,6 +158,12 @@ The following table defines the endpoints for other diagnostic data services:
 | Service | Endpoint |
 | - | - |
 | [Windows Error Reporting](https://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com | 
 | | ceuswatcab01.blob.core.windows.net |
 | | ceuswatcab02.blob.core.windows.net |
 | | eaus2watcab01.blob.core.windows.net |
 | | eaus2watcab02.blob.core.windows.net |
 | | weus2watcab01.blob.core.windows.net |
 | | weus2watcab02.blob.core.windows.net |
 | [Online Crash Analysis](https://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com |
 | OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 |
--- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
+++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
@ -1,6 +1,6 @@
 ---
 description: Use this article to learn more about the enhanced diagnostic data events used by Windows Analytics
-title: Windows 10, version 1709 enhanced telemtry events and fields used by Windows Analytics (Windows 10)
+title: Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics (Windows 10)
 keywords: privacy, diagnostic data
 ms.prod: w10
 ms.mktglfcycl: manage
@ -8,8 +8,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: high
 ms.date: 10/16/2017
-author: jaimeo
+author: danihalfin    
-ms.author: jaimeo
+ms.author: daniha
 ---
@ -57,6 +57,184 @@ The following fields are available:
 - **WriteCountAtExit_Sum:** Total number of IO writes for a process when it exited
 - **WriteSizeInKBAtExit_Sum:** Total size of IO writes for a process when it exited          
 ## Microsoft.Office.TelemetryEngine.IsPreLaunch
 Applicable for Office UWP applications. This event is fired when an office application is initiated for the first-time post upgrade/install from the store. This is part of basic diagnostic data, used to track whether a particular session is launch session or not.
 - **appVersionBuild:** Third part of the version *.*.XXXXX.*
 - **appVersionMajor:** First part of the version X.*.*.*
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRev:** Fourth part of the version *.*.*.XXXXX
 - **SessionID:** ID of the session
 ## Microsoft.Office.SessionIdProvider.OfficeProcessSessionStart
 This event sends basic information upon the start of a new Office session. This is used to count the number of unique sessions seen on a given device. This is used as a heartbeat event to ensure that the application is running on a device or not. In addition, it serves as a critical signal for overall application reliability.
 - **AppSessionGuid:** ID of the session which maps to the process of the application
 - **processSessionId:** ID of the session which maps to the process of the application
 ## Microsoft.Office.TelemetryEngine.SessionHandOff
 Applicable to Win32 Office applications. This event helps us understand whether there was a new session created to handle a user-initiated file open event. It is a critical diagnostic information that is used to derive reliability signal and ensure that the application is working as expected.
 - **appVersionBuild:** Third part Build version of the application *.*.XXXXX.*
 - **appVersionMajor:** First part of the version X.*.*.*
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRev:** Fourth part of the version *.*.*.XXXXX
 - **childSessionID:** Id of the session that was created to handle the user initiated file open
 - **parentSessionId:** ID of the session that was already running
 ## Microsoft.Office.CorrelationMetadata.UTCCorrelationMetadata
 Collects Office metadata through UTC to compare with equivalent data collected through the Office telemetry pipeline to check correctness and completeness of data.
 - **abConfigs:** List of features enabled for this session
 - **abFlights:** List of features enabled for this session
 - **AppSessionGuid:** ID of the session
 - **appVersionBuild:** Third part Build version of the application *.*.XXXXX.*
 - **appVersionMajor:** First part of the version X.*.*.*
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRevision:** Fourth part of the version *.*.*.XXXXX
 - **audienceGroup:** Is this part of the insiders or production
 - **audienceId:** ID of the audience setting
 - **channel:** Are you part of Semi annual channel or Semi annual channel-Targeted?
 - **deviceClass:** Is this a desktop or a mobile?
 - **impressionId:** What features were available to you in this session
 - **languageTag:** Language of the app
 - **officeUserID:** A unique identifier tied to the office installation on a particular device.
 - **osArchitecture:** Is the machine 32 bit or 64 bit?
 - **osEnvironment:** Is this a win32 app or a UWP app?
 - **osVersionString:** Version of the OS
 - **sessionID:** ID of the session
 ## Microsoft.Office.ClickToRun.UpdateStatus
 Applicable to all Win32 applications. Helps us understand the status of the update process of the office suite (Success or failure with error details).
 - **build:** App version
 - **channel:** Is this part of SAC or SAC-T?
 - **errorCode:** What error occurred during the upgrade process?
 - **errorMessage:** what was the error message during the upgrade process?
 - **status:** Was the upgrade successful or not?
 - **targetBuild:** What app version were we trying to upgrade to?
 ## Microsoft.Office.TelemetryEngine.FirstIdle
 This event is fired when the telemetry engine within an office application is ready to send telemetry. Used for understanding whether there are issues in telemetry.
 - **appVersionBuild:** Third part of the version *.*.XXXXX.*
 - **appVersionMajor:** First part of the version X.*.*.*
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRev:** Fourth part of the version *.*.*.XXXXX
 - **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
 - **SessionID:** ID of the session
 ## Microsoft.Office.TelemetryEngine.FirstProcessed
 This event is fired when the telemetry engine within an office application has processed the rules or the list of events that we need to collect. Used for understanding whether there are issues in telemetry.
 - **appVersionBuild:** Third part of the version *.*.XXXXX.*
 - **appVersionMajor:** First part of the version X.*.*.*
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRev:** Fourth part of the version *.*.*.XXXXX
 - **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
 - **SessionID:** ID of the session
 ## Microsoft.Office.TelemetryEngine.FirstRuleRequest
 This event is fired when the telemetry engine within an office application has received the first rule or list of events that need to be sent by the app. Used for understanding whether there are issues in telemetry.
 - **appVersionBuild:** Third part of the version *.*.XXXXX.*
 - **appVersionMajor:** First part of the version X.*.*.*
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRev:** Fourth part of the version *.*.*.XXXXX
 - **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
 - **SessionID:** ID of the session
 ## Microsoft.Office.TelemetryEngine.Init
 This event is fired when the telemetry engine within an office application has been initialized or not. Used for understanding whether there are issues in telemetry.
 - **appVersionBuild:** Third part of the version *.*.XXXXX.*
 - **appVersionMajor:** First part of the version X.*.*.*
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRev:** Fourth part of the version *.*.*.XXXXX
 - **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
 - **SessionID:** ID of the session
 ## Microsoft.Office.TelemetryEngine.Resume
 This event is fired when the application resumes from sleep state. Used for understanding whether there are issues in the application life-cycle.
 - **appVersionBuild:** Third part of the version *.*.XXXXX.*
 - **appVersionMajor:** First part of the version X.*.*.*
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRev:** Fourth part of the version *.*.*.XXXXX
 - **maxSequenceIdSeen:** How many events from this session have seen so far?
 - **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
 - **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed?
 - **SessionID:** ID of the session
 ## Microsoft.Office.TelemetryEngine.RuleRequestFailed
 This event is fired when the telemetry engine within an office application fails to retrieve the rules containing the list of telemetry events. Used for understanding whether there are issues in telemetry.
 - **appVersionBuild:** Third part of the version *.*.XXXXX.*
 - **appVersionMajor:** First part of the version X.*.*.*
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRev:** Fourth part of the version *.*.*.XXXXX
 - **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
 - **SessionID:** ID of the session
 ## Microsoft.Office.TelemetryEngine.RuleRequestFailedDueToClientOffline
 This event is fired when the telemetry engine within an office application fails to retrieve the rules containing the list of telemetry events, when the device is offline. Used for understanding whether there are issues in telemetry.
 - **appVersionBuild:** Third part of the version *.*.XXXXX.*
 - **appVersionMajor:** First part of the version X.*.*.*
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRev:** Fourth part of the version *.*.*.XXXXX
 - **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
 - **SessionID:** ID of the session
 ## Microsoft.Office.TelemetryEngine.ShutdownComplete
 This event is fired when the telemetry engine within an office application has processed the rules or the list of events that we need to collect. Useful for understanding whether a particular crash is happening during an app-shutdown, and could potentially lead in data loss or not.
 - **appVersionBuild:** Third part of the version *.*.XXXXX.*
 - **appVersionMajor:** First part of the version X.*.*.*
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRev:** Fourth part of the version *.*.*.XXXXX
 - **maxSequenceIdSeen:** How many events from this session have seen so far?
 - **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
 - **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed?
 - **SessionID:** ID of the session
 ## Microsoft.Office.TelemetryEngine.ShutdownStart
 This event is fired when the telemetry engine within an office application been uninitialized, and the application is shutting down. Useful for understanding whether a particular crash is happening during an app-shutdown, and could potentially lead in data loss or not.
 - **appVersionBuild:** Third part of the version *.*.XXXXX.*
 - **appVersionMajor:** First part of the version X.*.*.*
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRev:** Fourth part of the version *.*.*.XXXXX
 - **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
 - **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed?
 - **SessionID:** ID of the session
 ## Microsoft.Office.TelemetryEngine.SuspendComplete
 This event is fired when the telemetry engine within an office application has processed the rules or the list of events that we need to collect. Used for understanding whether there are issues in telemetry.
 - **appVersionBuild:** Third part of the version *.*.XXXXX.*
 - **appVersionMajor:** First part of the version X.*.*.*
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRev:** Fourth part of the version *.*.*.XXXXX
 - **maxSequenceIdSeen:** How many events from this session have seen so far?
 - **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
 - **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed?
 - **SessionID:** ID of the session
 - **SuspendType:** Type of suspend
 ## Microsoft.Office.TelemetryEngine.SuspendStart
 This event is fired when the office application suspends as per app life-cycle change. Used for understanding whether there are issues in the application life-cycle.
 - **appVersionBuild:** Third part of the version *.*.XXXXX.*
 - **appVersionMajor:** First part of the version X.*.*.*
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRev:** Fourth part of the version *.*.*.XXXXX
 - **maxSequenceIdSeen:** How many events from this session have seen so far?
 - **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
 - **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed?
 - **SessionID:** ID of the session
 - **SuspendType:** Type of suspend
 ## Microsoft.OSG.OSS.CredProvFramework.ReportResultStop
 This event indicates the result of an attempt to authenticate a user with a credential provider. It helps Microsoft to improve logon reliability. Using this event with Windows Analytics can help organizations monitor and improve logon success for different methods (for example, biometric) on managed devices.
@ -251,7 +429,13 @@ The following fields are available:
 - **WindowHeight:** Number of vertical pixels in the application window
 - **WindowWidth:** Number of horizontal pixels in the application window
-# Revisions to the diagnostic data events and fields
+## Revisions
-## PartA_UserSid removed
+### PartA_UserSid removed
-A previous revision of this list stated that a field named PartA_UserSid was a member of the event Microsoft.Windows.LogonController.LogonAndUnlockSubmit. This was incorrect. The list has been updated to reflect that no such field is present in the event. Note that you can use the Windows Diagnostic Data Viewer to review the contents of the event.
+A previous revision of this list stated that a field named PartA_UserSid was a member of the event Microsoft.Windows.LogonController.LogonAndUnlockSubmit. This was incorrect. The list has been updated to reflect that no such field is present in the event.
 ### Office events added
 In Windows 10, version 1809 (also applies to versions 1709 and 1803 starting with [KB 4462932](https://support.microsoft.com/help/4462932/windows-10-update-kb4462932) and [KB 4462933](https://support.microsoft.com/help/4462933/windows-10-update-kb4462933) respectively), 16 events were added, describing Office app launch and availability. These events were added to improve the precision of Office data in Windows Analytics.
 >[!NOTE]
 >You can use the Windows Diagnostic Data Viewer to observe and review events and their fields as described in this topic.
--- a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md
@ -49,7 +49,6 @@ We used the following methodology to derive these network endpoints:
 | *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
 | *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. |
 | .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
 | telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
 | 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
 | 2.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
 | arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
@ -108,7 +107,13 @@ We used the following methodology to derive these network endpoints:
 | v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. |
 | wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
 | wallet-frontend-prod-westus.cloudapp.net | TLSv1.2 | Used by the Microsoft Wallet app. |
-| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
+| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
 | ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
 | ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
 | eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
 | eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
 | weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
 | weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
 | wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |
 | wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. |
 | www.bing.com | HTTP | Used for updates for Cortana, apps, and Live Tiles. |
@ -192,12 +197,17 @@ We used the following methodology to derive these network endpoints:
 | storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
 | store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
 | store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
-| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
+| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
 | ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
 | ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
 | eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
 | eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
 | weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
 | weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
 | tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
 | tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
 | v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. |
 | wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
 | watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
 | wdcp.microsoft.akadns.net | HTTPS | Used for Windows Defender when Cloud-based Protection is enabled. |
 | wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. |
 | www.bing.com | TLSv1.2 | Used for updates for Cortana, apps, and Live Tiles. |
@ -265,9 +275,15 @@ We used the following methodology to derive these network endpoints:
 | sls.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
 | store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
 | tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
-| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
+| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
 | ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
 | ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
 | eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
 | eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
 | weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
 | weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
 | tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. |
 | wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
-| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
+
 | wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |
 | www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@ -435,6 +435,8 @@
 ### [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
 ### [Use attack surface reduction rules in Windows 10 Enterprise E3](windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md)
 ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
--- a/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md
@ -11,7 +11,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 09/03/2018
+ms.date: 10/29/2018
 ---
@ -19,7 +19,6 @@ ms.date: 09/03/2018
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 [!include[Prerelease information](prerelease.md)]
 1.	In the navigation pane, select **Advanced hunting**.
--- a/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md
@ -11,7 +11,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 09/03/2018
+ms.date: 10/29/2018
 ---
 # Managed security service provider support
@ -21,7 +21,7 @@ ms.date: 09/03/2018
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink)
-[!include[Prerelease information](prerelease.md)]
+
 Security is recognized as a key component in running an enterprise, however some organizations might not have the capacity or expertise to have a dedicated security operations team to manage the security of their endpoints and network, others may want to have a second set of eyes to review alerts in their network.
--- a/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md
+++ b/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md
@ -11,7 +11,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 09/03/2018
+ms.date: 10/29/2018
 ---
@ -19,7 +19,6 @@ ms.date: 09/03/2018
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 [!include[Prerelease information](prerelease.md)]
 Alerts in Windows Defender ATP are surfaced through the system based on signals gathered from endpoints. With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats.
--- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
@ -39,22 +39,10 @@ Turn on the preview experience setting to be among the first to try upcoming fea
 ## Preview features
 The following features are included in the preview release:
 - [Threat analytics](threat-analytics.md)<br>
 Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
 - [Incidents](incidents-queue.md)<br>
 Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network.
 - [Custom detection](overview-custom-detections.md)<br>
 With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. 
 - [Managed security service provider (MSSP) support](mssp-support-windows-defender-advanced-threat-protection.md)<br>
 Windows Defender ATP adds support for this scenario by providing MSSP integration. 
 The integration will allow MSSPs to take the following actions:
 Get access to MSSP customer's Windows Defender Security Center portal, fet email notifications, and fetch alerts through security information and event management (SIEM) tools.
 - [Integration with Azure Security Center](configure-server-endpoints-windows-defender-advanced-threat-protection.md#integration-with-azure-security-center)<br>
 Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
--- a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md
@ -10,7 +10,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 04/24/2018
+ms.date: 10/26/2018
 ---
 # Configure the security controls in Secure score
@ -175,6 +175,10 @@ For more information, see [Windows Defender Application Guard overview](../windo
 ### Windows Defender SmartScreen optimization
 For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender SmartScreen is fulfilled.
 >[!WARNING]
 > Data collected by Windows Defender SmartScreen might be stored and processed outside of the storage location you have selected for your Windows Defender ATP data.
 >[!IMPORTANT]
 >This security control is only applicable for machines with Windows 10, version 1709 or later.
--- a/windows/security/threat-protection/windows-defender-atp/threat-analytics.md
+++ b/windows/security/threat-protection/windows-defender-atp/threat-analytics.md
@ -11,14 +11,13 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 09/03/2018
+ms.date: 10/29/2018
 ---
 # Threat analytics 
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 [!include[Prerelease information](prerelease.md)]
 Cyberthreats are emerging more frequently and prevalently. It is critical for organizations to be able to quickly assess their security posture, including impact, and organizational resilience in the context of specific emerging threats. 
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 10/17/2018
+ms.date: 10/15/2018
 ---
 # Reduce attack surfaces with attack surface reduction rules 
@ -20,27 +20,24 @@ ms.date: 10/17/2018
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
-Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. 
+Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature is part of Windows Defender Advanced Threat Protection and provides:
 Attack surface reduction rules work best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
 Attack surface reduction rules each target specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
 - Rules you can set to enable or disable specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
 	- Executable files and scripts used in Office apps or web mail that attempt to download or run files
 	- Scripts that are obfuscated or otherwise suspicious
 	- Behaviors that apps undertake that are not usually initiated during normal day-to-day work
 - Centralized monitoring and reporting with deep optics that help you connect the dots across events, computers and devices, and networks
 - Analytics to enable ease of deployment, by using [audit mode](audit-windows-defender-exploit-guard.md) to show how attack surface reduction rules would impact your organization if they were enabled
-When a rule is triggered, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
+When an attack surface reduction rule is triggered, a notification displays from the Action Center on the user's computer. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information.
 You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled.
 ## Requirements
-Attack surface reduction rules require Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
+Attack surface reduction rules are a feature of Windows Defender ATP and require Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
 ## Attack surface reduction rules
-The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table:
+The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table.
 Rule name | GUID
 -|-
@ -56,7 +53,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3
 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block only Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 The rules apply to the following Office apps:
@ -70,7 +67,6 @@ The rules do not apply to any other Office apps.
 ### Rule: Block executable content from email client and webmail
 This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com):
 - Executable files (such as .exe, .dll, or .scr) 
@ -92,15 +88,12 @@ This rule targets typical behaviors used by suspicious and malicious add-ons and
 Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
 ### Rule: Block Office applications from injecting code into other processes
 Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. 
 This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
 >[!IMPORTANT]
 >[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
@ -110,7 +103,6 @@ JavaScript and VBScript scripts can be used by malware to launch other malicious
 This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
 >[!IMPORTANT]
 >[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
@ -120,6 +112,8 @@ Malware and other threats can attempt to obfuscate or hide their malicious code
 This rule prevents scripts that appear to be obfuscated from running. 
 It uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script, or blocks scripts when an attempt is made to access them.
 ### Rule: Block Win32 API calls from Office macro
 Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system.
@ -133,14 +127,14 @@ This rule blocks the following file types from being run or launched unless they
 - Executable files (such as .exe, .dll, or .scr) 
 >[!NOTE]
->You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
 ### Rule: Use advanced protection against ransomware
 This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list.
 >[!NOTE]
->You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
 ### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
@ -166,7 +160,7 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
 - Executable files (such as .exe, .dll, or .scr) 
 - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
-### Rule: Block Office communication applications from creating child processes
+### Rule: Block only Office communication applications from creating child processes
 Office communication apps will not be allowed to create child processes. This includes Outlook.
@ -176,23 +170,29 @@ This is a typical malware behavior, especially for macro-based attacks that atte
 This rule blocks Adobe Reader from creating child processes.
 ## Review attack surface reduction rule events in the Windows Defender ATP Security Center
 Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). 
 You can query Windows Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how attack surface reduction rules would affect your environment if they were enabled.
 ## Review attack surface reduction rule events in Windows Event Viewer
 You can review the Windows event log to see events that are created when an attack surface reduction rule is triggered (or audited):
 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine.
-1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
-2. On the left panel, under **Actions**, click **Import custom view...**
+3. On the left panel, under **Actions**, click **Import custom view...**
    ![Animation showing the import custom view on the Event viewer window](images/events-import.gif)
-3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+4. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
-4. Click **OK**.
+5. Click **OK**.
-5. This will create a custom view that filters to only show the following events related to attack surface reduction rules:
+6. This will create a custom view that filters to only show the following events related to attack surface reduction rules:
 Event ID | Description
 -|-
@ -200,8 +200,6 @@ You can review the Windows event log to see events that are created when an atta
 1122 | Event when rule fires in Audit-mode 
 1121 | Event when rule fires in Block-mode 
 ### Event fields
 - **ID**: matches with the Rule-ID that triggered the block/audit.
@ -209,6 +207,9 @@ You can review the Windows event log to see events that are created when an atta
 - **Process Name**: The process that performed the "operation" that was blocked/audited
 - **Description**: Additional details about the event or audit, including the signature, engine, and product version of Windows Defender Antivirus
 ## Attack surface reduction rules in Windows 10 Enterprise E3
 A subset of attack surface reduction rules are also available on Windows 10 Enterprise E3 without the benefit of centralized monitoring, reporting, and analytics. For more information, see [Use attack surface reduction rules in Windows 10 Enterprise E3](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3).
 ## In this section
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
@ -0,0 +1,51 @@
 ---
 title: Use attack surface reduction rules in Windows 10 Enterprise E3
 description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware
 keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
 ms.date: 10/15/2018
 ---
 # Use attack surface reduction rules in Windows 10 Enterprise E3
 **Applies to:**
 - Windows 10 Enterprise E3
 Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature area includes the rules, monitoring, reporting, and analytics necessary for deployment that are included in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), and require the Windows 10 Enterprise E5 license. 
 A limited subset of basic attack surface reduction rules can technically be used with Windows 10 Enterprise E3. They can be used without the benefits of reporting, monitoring, and analytics, which provide the ease of deployment and management capabilities necessary for enterprises. 
 Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
 The limited subset of rules that can be used in Windows 10 Enterprise E3 include:
 - Block executable content from email client and webmail
 - Block all Office applications from creating child processes
 - Block Office applications from creating executable content
 - Block Office applications from injecting code into other processes
 - Block JavaScript or VBScript from launching downloaded executable content
 - Block execution of potentially obfuscated scripts
 - Block Win32 API calls from Office macro
 - Use advanced protection against ransomware
 - Block credential stealing from the Windows local security authority subsystem (lsass.exe)
 - Block process creations originating from PSExec and WMI commands
 - Block untrusted and unsigned processes that run from USB
 For more information about these rules, see [Reduce attack surfaces with attack surface reduction rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard).
 ## Related topics
 Topic | Description 
 ---|---
 [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how attack surface reduction rules work, and what events would typically be created.
 [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage attack surface reduction rules in your network.
 [Customize attack surface reduction rules](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by attack surface reduction rules and customize the notification that appears on a user's machine when a rule blocks an app or file.