Merged PR 13777: Multiple changes to several troubleshooting topics + reorg of TOC in this area

Multiple examples added, text edited, and conceptual articles linked
2025-05-12 13:27:23 +00:00 · 2019-01-14 20:59:22 +00:00 · 2019-01-14 20:59:22 +00:00 · 8276671e81
commit 8276671e81
parent e9c5b8c8a0
19 changed files with 370 additions and 178 deletions
--- a/windows/client-management/TOC.md
+++ b/windows/client-management/TOC.md
@ -12,19 +12,19 @@
 ## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)
 ## [Windows libraries](windows-libraries.md)
 ## [Troubleshoot Windows 10 clients](windows-10-support-solutions.md)
-### [Advanced troubleshooting for Windows networking issues](troubleshoot-networking.md)
+### [Advanced troubleshooting for Windows networking](troubleshoot-networking.md)
-#### [Advanced troubleshooting Wireless Network Connectivity](advanced-troubleshooting-wireless-network-connectivity.md)
+#### [Advanced troubleshooting Wireless network connectivity](advanced-troubleshooting-wireless-network-connectivity.md)
-#### [Data collection for troubleshooting 802.1x Authentication](data-collection-for-802-authentication.md)
+#### [Advanced troubleshooting 802.1X authentication](advanced-troubleshooting-802-authentication.md)
-#### [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md)
+##### [Data collection for troubleshooting 802.1X authentication](data-collection-for-802-authentication.md)
-### [Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md)
+#### [Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md)
-#### [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md)
+##### [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md)
-#### [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md)
+##### [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md)
-#### [Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md)
+##### [Troubleshoot port exhaustion](troubleshoot-tcpip-port-exhaust.md)
-#### [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md)
+##### [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md)
-### [Advanced troubleshooting for Windows start-up issues](troubleshoot-windows-startup.md)
+### [Advanced troubleshooting for Windows startup](troubleshoot-windows-startup.md)
 #### [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
-#### [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md)
+#### [Advanced troubleshooting for Windows-based computer freeze](troubleshoot-windows-freeze.md)
-#### [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md)
+#### [Advanced troubleshooting for stop error or blue screen error](troubleshoot-stop-errors.md)
-#### [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md)
+#### [Advanced troubleshooting for stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md)
 ## [Mobile device management for solution providers](mdm/index.md)
 ## [Change history for Client management](change-history-for-client-management.md)
--- a/windows/client-management/advanced-troubleshooting-802-authentication.md
+++ b/windows/client-management/advanced-troubleshooting-802-authentication.md
@ -1,87 +1,118 @@
 ---
-title: Advanced Troubleshooting 802.1x Authentication
+title: Advanced Troubleshooting 802.1X Authentication
-description: Learn how 802.1x Authentication works
+description: Learn how 802.1X Authentication works
-keywords: advanced troubleshooting, 802.1x authentication, troubleshooting, authentication, Wi-Fi
+keywords: advanced troubleshooting, 802.1X authentication, troubleshooting, authentication, Wi-Fi
 ms.prod: w10
 ms.mktglfcycl:
 ms.sitesec: library
 author: kaushika-msft
 ms.localizationpriority: medium
-ms.author: mikeblodge
+ms.author: greg-lindsay
 ms.date: 10/29/2018
 ---
-# Advanced Troubleshooting 802.1x Authentication
+# Advanced troubleshooting 802.1X authentication
 ## Overview
-This is a general troubleshooting of 802.1x wireless and wired clients. With 
+
-802.1x and Wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make Access Points or Switches, it won't be an end-to-end Microsoft solution.
+This is a general troubleshooting of 802.1X wireless and wired clients. With 802.1X and wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make access points or wwitches, it won't be an end-to-end Microsoft solution.
-### Scenarios
+## Scenarios
 This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 - 10 for clients, and Windows Server 2008 R2 - 2012 R2 for NPS.
-### Known Issues
+## Known Issues
 N/A
 ### Data Collection
 [Advanced Troubleshooting 802.1x Authentication Data Collection](https://docs.microsoft.com/en-us/windows/client-management/data-collection-for-802-authentication)
 ### Troubleshooting
 - Viewing the NPS events in the Windows Security Event log is one of the most useful troubleshooting methods to obtain information about failed authentications.
-NPS event log entries contain information on the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. NPS event logging for rejected or accepted connection is enabled by default.
+None
 Check Windows Security Event log on the NPS Server for NPS events corresponding to rejected (event ID 6273) or accepted (event ID 6272) connection attempts.
-In the event message, scroll to the very bottom, and check the **Reason Code** field and the text associated with it.
+## Data Collection
 See [Advanced troubleshooting 802.1X authentication data collection](data-collection-for-802-authentication.md).
-![example of an audit failure](images/auditfailure.png)
+## Troubleshooting
-*Example: event ID 6273 (Audit Failure)*
+
 Viewing [NPS authentication status events](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735320(v%3dws.10)) in the Windows Security [event log](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc722404(v%3dws.11)) is one of the most useful troubleshooting methods to obtain information about failed authentications.
 NPS event log entries contain information on the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. If you are not seeing both success and failure events, see the section below on [NPS audit policy](#audit-policy).
 Check Windows Security Event log on the NPS Server for NPS events corresponding to rejected ([event ID 6273](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or accepted ([event ID 6272](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts.
 In the event message, scroll to the very bottom, and check the [Reason Code](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text associated with it.
   ![example of an audit failure](images/auditfailure.png)
   *Example: event ID 6273 (Audit Failure)*<br><br>
 ‎
-![example of an audit success](images/auditsuccess.png)
+   ![example of an audit success](images/auditsuccess.png)
-*Example: event ID 6272 (Audit Success)*
+   *Example: event ID 6272 (Audit Success)*<br>
-‎ 
+‎The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, Wired AutoConfig operational log is equivalent one.
 - The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, Wired AutoConfig operational log is equivalent one.
-On client side, navigate to the Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational for wireless issue (for wired network access, ..\Wired-AutoConfig/Operational).
+On the client side, navigate to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, navigate to  **..\Wired-AutoConfig/Operational**. See the following example:
 ![event viewer screenshot showing wired-autoconfig and WLAN autoconfig](images/eventviewer.png)
- Most 802.1X authentication issues is due to problems with the certificate which is used for client or server authentication (e.g. invalid certificate, expiration, chain verification failure, revocation check failure, etc.). 
+Most 802.1X authentication issues are due to problems with the certificate that is used for client or server authentication (e.g. invalid certificate, expiration, chain verification failure, revocation check failure, etc.). 
-First, make sure which type of EAP method is being used.
+First, validate the type of EAP method being used:
 ![eap authentication type comparison](images/comparisontable.png)
- If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from EAP property menu. See figure below.
+If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu:
 ![Constraints tab of the secure wireless connections properties](images/eappropertymenu.png)
- The CAPI2 event log will be useful for troubleshooting certificate-related issues.
+The CAPI2 event log will be useful for troubleshooting certificate-related issues.
-This log is not enabled by default. You can enable this log by navigating to the Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2 directory and expand it, then right-click on the Operational view and click the Enable Log menu.
+This log is not enabled by default. You can enable this log by expanding **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2**, right-clicking **Operational** and then clicking **Enable Log**.
-![screenshot of event viewer](images/eventviewer.png)
+![screenshot of event viewer](images/capi.png)
-You can refer to this article about how to analyze CAPI2 event logs.
+The following article explains how to analyze CAPI2 event logs:
-[Troubleshooting PKI Problems on Windows Vista](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29)
+[Troubleshooting PKI Problems on Windows Vista](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29).
 For detailed troubleshooting 802.1X authentication issues, it&#39;s important to understand 802.1X authentication process. The figure below is an example of wireless connection process with 802.1X authentication.
-![aithenticatior flow chart](images/authenticator_flow_chart.png)
+When troubleshooting complex 802.1X authentication issues, it is important to understand the 802.1X authentication process. The following figure is an example of wireless connection process with 802.1X authentication:
- 
+
- If you collect network packet capture on both a client and a NPS side, you can see the flow like below. Type **EAPOL** in Display Filter menu in Network Monitor for a client side and **EAP** for a NPS side.
+![authenticatior flow chart](images/authenticator_flow_chart.png)
 > [!NOTE]
 > info not critical to a task If you also enable wireless scenario trace with network packet capture, you can see more detailed information on Network Monitor with **ONEX\_MicrosoftWindowsOneX** and **WLAN\_MicrosoftWindowsWLANAutoConfig** Network Monitor filtering applied.
 If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter in for a client side capture, and **EAP** for an NPS side capture. See the following examples:
 ![client-side packet capture data](images/clientsidepacket_cap_data.png)
-*Client-side packet capture data*
+*Client-side packet capture data*<br><br>
 ![NPS-side packet capture data](images/NPS_sidepacket_capture_data.png) 
-*NPS-side packet capture data*
+*NPS-side packet capture data*<br>
-‎ 
+‎
 > [!NOTE]
 > If you have a wireless trace, you can also [view ETL files with network monitor](https://docs.microsoft.com/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. Follow the instructions under the **Help** menu in Network Monitor to load the reqired [parser](https://blogs.technet.microsoft.com/netmon/2010/06/04/parser-profiles-in-network-monitor-3-4/) if needed. See the example below.
 ![ETL parse](images/etl.png) 
 ## Audit policy
 NPS audit policy (event logging) for connection success and failure is enabled by default. If you find that one or both types of logging are disabled, use the following steps to troubleshoot.
 View the current audit policy settings by running the following command on the NPS server:
 ```
 auditpol /get /subcategory:"Network Policy Server"
 ```
 If both success and failure events are enabled, the output should be:
 <pre>
 System audit policy
 Category/Subcategory                      Setting
 Logon/Logoff
  Network Policy Server                   Success and Failure
 </pre>
 If it shows ‘No auditing’, you can run this command to enable it:
 ```
 auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
 ```
 Even if audit policy appears to be fully enabled, it sometimes helps to disable and then re-enable this setting. You can also enable Network Policy Server logon/logoff auditing via Group Policy. The success/failure setting can be found under **Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Logon/Logoff -> Audit Network Policy Server**.
 ## Additional references
 [Troubleshooting Windows Vista 802.11 Wireless Connections](https://technet.microsoft.com/ja-jp/library/cc766215%28v=ws.10%29.aspx)
-[Troubleshooting Windows Vista Secure 802.3 Wired Connections](https://technet.microsoft.com/de-de/library/cc749352%28v=ws.10%29.aspx)
+[Troubleshooting Windows Vista 802.11 Wireless Connections](https://technet.microsoft.com/library/cc766215%28v=ws.10%29.aspx)<br>
 [Troubleshooting Windows Vista Secure 802.3 Wired Connections](https://technet.microsoft.com/library/cc749352%28v=ws.10%29.aspx)
--- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
+++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
@ -7,30 +7,31 @@ ms.mktglfcycl:
 ms.sitesec: library
 author: kaushika-msft
 ms.localizationpriority: medium
-ms.author: mikeblodge
+ms.author: greg-lindsay
 ms.date: 10/29/2018
 ---
-# Advanced Troubleshooting Wireless Network Connectivity
+
 # Advanced troubleshooting wireless network connectivity
 > [!NOTE]
 > Home users: This article is intended for use by support agents and IT professionals. If you're looking for more general information about Wi-Fi problems in Windows 10, check out this [Windows 10 Wi-Fi fix article](https://support.microsoft.com/en-in/help/4000432/windows-10-fix-wi-fi-problems).
 ## Overview
-This is a general troubleshooting of establishing Wi-Fi connections from Windows Clients.
+
 This is a general troubleshooting of establishing Wi-Fi connections from Windows clients.
 Troubleshooting Wi-Fi connections requires understanding the basic flow of the Wi-Fi autoconnect state machine. Understanding this flow makes it easier to determine the starting point in a repro scenario in which a different behavior is found.
 This workflow involves knowledge and use of [TextAnalysisTool](https://github.com/TextAnalysisTool/Releases), an extensive text filtering tool that is useful with complex traces with numerous ETW providers such as wireless_dbg trace scenario.
 ## Scenarios
-Any scenario in which Wi-Fi connections are attempted and fail to establish. The troubleshooter is developed with Windows 10 clients in focus, but also may be useful with traces as far back as Windows 7.
+This article applies to any scenario in which Wi-Fi connections fail to establish. The troubleshooter is developed with Windows 10 clients in focus, but also may be useful with traces as far back as Windows 7.
 > [!NOTE]
-> This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component ETW. It is not meant to be representative of every wireless problem scenario.
+> This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component [Event Tracing for Windows](https://docs.microsoft.com/windows/desktop/etw/event-tracing-portal) (ETW). It is not meant to be representative of every wireless problem scenario.
-Wireless ETW is incredibly verbose and calls out lots of innocuous errors (i.e. Not really errors so much as behaviors that are flagged and have nothing to do with the problem scenario). Simply searching for or filtering on "err", "error", and "fail" will seldom lead you to the root cause of a problematic Wi-Fi scenario. Instead it will flood the screen with meaningless logs that will obfuscate the context of the actual problem.
+Wireless ETW is incredibly verbose and calls out a lot of innocuous errors (rather flagged behaviors that have little or nothing to do with the problem scenario). Simply searching for or filtering on "err", "error", and "fail" will seldom lead you to the root cause of a problematic Wi-Fi scenario. Instead it will flood the screen with meaningless logs that will obfuscate the context of the actual problem.
 It is important to understand the different Wi-Fi components involved, their expected behaviors, and how the problem scenario deviates from those expected behaviors.
-The intention of this troubleshooter is to show how to find a starting point in the verbosity of wireless_dbg ETW and home in on the responsible component(s) causing the connection problem.
+The intention of this troubleshooter is to show how to find a starting point in the verbosity of wireless_dbg ETW and home in on the responsible components that are causing the connection problem.
 ### Known Issues and fixes
 ** **
@ -41,6 +42,7 @@ The intention of this troubleshooter is to show how to find a starting point in
 | **Windows 10, version 1703** | [KB4338827](https://support.microsoft.com/help/4338827) |
 Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update-history webpage for your system:
 - [Windows 10 version 1809](https://support.microsoft.com/help/4464619)
 - [Windows 10 version 1803](https://support.microsoft.com/help/4099479)
 - [Windows 10 version 1709](https://support.microsoft.com/en-us/help/4043454)
 - [Windows 10 version 1703](https://support.microsoft.com/help/4018124)
@ -50,35 +52,47 @@ Make sure that you install the latest Windows updates, cumulative updates, and r
 - [Windows Server 2012](https://support.microsoft.com/help/4009471)
 - [Windows 7 SP1 and Windows Server 2008 R2 SP1](https://support.microsoft.com/help/40009469)
-### Data Collection
+## Data Collection
 1. Network Capture with ETW. Use the following command:
-    **netsh trace start wireless\_dbg capture=yes overwrite=yes maxsize=4096 tracefile=c:\tmp\wireless.etl**
+1. Network Capture with ETW. Enter the following at an elevated command prompt:
-2. Reproduce the issue if:
+    ```
-    - There is a failure to establish connection, try to manually connect
+    netsh trace start wireless_dbg capture=yes overwrite=yes maxsize=4096 tracefile=c:\tmp\wireless.etl
-    - It is intermittent but easily reproducible, try to manually connect until it fails. Include timestamps of each connection attempt (successes and failures)
+    ```
-    - Tue issue is intermittent but rare, netsh trace stop command needs to be triggered automatically (or at least alerted to admin quickly) to ensure trace doesn’t overwrite the repro data.
+2. Reproduce the issue.
-    - Intermittent connection drops trigger stop command on a script (ping or test network constantly until fail, then netsh trace stop).
+    - If there is a failure to establish connection, try to manually connect.
    - If it is intermittent but easily reproducible, try to manually connect until it fails. Record the time of each connection attempt, and whether it was a success or failure.
    - If the issue is intermittent but rare, netsh trace stop command needs to be triggered automatically (or at least alerted to admin quickly) to ensure trace doesn’t overwrite the repro data.
    - If intermittent connection drops trigger stop command on a script (ping or test network constantly until fail, then netsh trace stop).
 3. Stop the trace by entering the following command: 
    ```
    netsh trace stop
    ```
 4. To convert the output file to text format: 
    ```
    netsh trace convert c:\tmp\wireless.etl
    ```
 See the [example ETW capture](#example-etw-capture) at the bottom of this article for an example of the command output. After running these commands, you will have three files: wireless.cab, wireless.etl, and wireless.txt.
 ## Troubleshooting
 3. Run this command to stop the trace: **netsh trace stop**
 4. To convert the output file to text format: **netsh trace convert c:\tmp\wireless.etl**
 ### Troubleshooting
 The following is a high-level view of the main wifi components in Windows.
 ![Wi-Fi stack components](images/wifistackcomponents.png)
-The Windows Connection Manager (Wcmsvc) is closely associated with the UI controls (see taskbar icon) to connect to various networks including wireless. It accepts and processes input from the user and feeds it to the core wireless service (Wlansvc). The Wireless Autoconfig Service (Wlansvc) handles the core functions of wireless networks in windows:
+<table>
 <tr><td><img src="images/wcm.png"></td><td>The <b>Windows Connection Manager</b> (Wcmsvc) is closely associated with the UI controls (taskbar icon) to connect to various networks, including wireless networks. It accepts and processes input from the user and feeds it to the core wireless service. </td></tr>
 <tr><td><img src="images/wlan.png"></td><td>The <b>WLAN Autoconfig Service</b> (WlanSvc) handles the following core functions of wireless networks in windows:
 - Scanning for wireless networks in range
- Managing connectivity of wireless networks
+- Managing connectivity of wireless networks</td></tr>
 <tr><td><img src="images/msm.png"></td><td>The <b>Media Specific Module</b> (MSM) handles security aspects of connection being established.</td></tr>
 <tr><td><img src="images/wifi-stack.png"></td><td>The <b>Native Wifi stack</b> consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc.</td></tr>
 <tr><td><img src="images/miniport.png"></td><td>Third-party <b>wireless miniport</b> drivers interface with the upper wireless stack to provide notifications to and receive commands from Windows.</td></tr>
 </table>
 The Media Specific Module (MSM) handles security aspects of connection being established.
 The Native Wifi stack consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc.
 Third-party wireless miniport drivers interface with the upper wireless stack to provide notifications to and receive commands from Windows.
 The wifi connection state machine has the following states:
 - Reset
 - Ihv_Configuring
@ -99,86 +113,105 @@ Reset --> Ihv_Configuring --> Configuring --> Associating --> Authenticating -->
 Connected --> Roaming --> Wait_For_Disconnected --> Disconnected --> Reset
- Filtering the ETW trace with the provided [TextAnalyisTool (TAT)](Missing wifi.tat file) filter is an easy first step to determine where a failed connection setup is breaking down:
+>Filtering the ETW trace with the [TextAnalysisTool](https://github.com/TextAnalysisTool/Releases) (TAT) is an easy first step to determine where a failed connection setup is breaking down.  A useful [wifi filter file](#wifi-filter-file) is included at the bottom of this article.
 Use the **FSM transition** trace filter to see the connection state machine.
 Example of a good connection setup:
-```
+Use the **FSM transition** trace filter to see the connection state machine. You can see [an example](#textanalysistool-example) of this filter applied in the TAT at the bottom of this page.
 The following is an example of a good connection setup:
 <pre>
 44676 [2]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset
-45473 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv\_Configuring
+45473 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv_Configuring
-45597 [3]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv\_Configuring to State: Configuring
+45597 [3]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv_Configuring to State: Configuring
 46085 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.710 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Configuring to State: Associating
 47393 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.879 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Associating to State: Authenticating
 49465 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Connected
-```
+</pre>
-Example of a failed connection setup:
+
-```
+The following is an example of a failed connection setup:
 <pre>
 44676 [2]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset
-45473 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv\_Configuring
+45473 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv_Configuring
-45597 [3]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv\_Configuring to State: Configuring
+45597 [3]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv_Configuring to State: Configuring
 46085 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.710 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Configuring to State: Associating
 47393 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.879 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Associating to State: Authenticating
 49465 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Roaming
-```
+</pre>
-By identifying the state at which the connection fails, one can focus more specifically in the trace on logs just prior to the last known good state. Examining **[Microsoft-Windows-WLAN-AutoConfig]** logs just prior to the bad state change should show evidence of error. Often, however, the error is propagated up through other wireless components.
+
 By identifying the state at which the connection fails, one can focus more specifically in the trace on logs just prior to the last known good state. 
 Examining **[Microsoft-Windows-WLAN-AutoConfig]** logs just prior to the bad state change should show evidence of error. Often, however, the error is propagated up through other wireless components.
 In many cases the next component of interest will be the MSM, which lies just below Wlansvc.
 ![MSM details](images/msmdetails.png)
 The important components of the MSM include:
 - Security Manager (SecMgr) - handles all pre and post-connection security operations.
 - Authentication Engine (AuthMgr) – Manages 802.1x auth requests
    ![MSM details](images/msmdetails.png)
 Each of these components has their own individual state machines which follow specific transitions.
 Enable the **FSM transition, SecMgr Transition,** and **AuthMgr Transition** filters in TextAnalysisTool for more detail.
 Continuing with the example above, the combined filters look like this:
-```
+<pre>
 [2] 0C34.2FF0::08/28/17-13:24:28.693 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Reset to State: Ihv_Configuring
 [2] 0C34.2FF0::08/28/17-13:24:28.693 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Ihv_Configuring to State: Configuring
 [1] 0C34.2FE8::08/28/17-13:24:28.711 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Configuring to State: Associating
-[0] 0C34.275C::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition INACTIVE (1) --> ACTIVE (2)
+[0] 0C34.275C::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition INACTIVE (1) --> ACTIVE (2)
-[0] 0C34.275C::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition ACTIVE (2) --> START AUTH (3)
+[0] 0C34.275C::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition ACTIVE (2) --> START AUTH (3)
 [4] 0EF8.0708::08/28/17-13:24:28.928 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition ENABLED  --> START_AUTH  
 [3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Associating to State: Authenticating
-[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
+[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
 [4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition START_AUTH  --> AUTHENTICATING  
-[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
+[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
-[2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
+[2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
 [2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Authenticating to State: Roaming
-```
+</pre>
 > [!NOTE]
-> In this line the SecMgr transition is suddenly deactivating. This transition is what eventually propagates to the main connection state machine and causes the Authenticating phase to devolve to Roaming state. As before, it makes sense to focus on tracing just prior to this SecMgr behavior to determine the reason for the deactivation.
+> In the next to last line the SecMgr transition is suddenly deactivating:<br>
 >\[2\] 0C34.2FF0::08/28/17-13:24:29.7512788 \[Microsoft-Windows-WLAN-AutoConfig\]Port\[13\] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)<br><br>
 >This transition is what eventually propagates to the main connection state machine and causes the Authenticating phase to devolve to Roaming state. As before, it makes sense to focus on tracing just prior to this SecMgr behavior to determine the reason for the deactivation.
- Enabling the **Microsoft-Windows-WLAN-AutoConfig** filter will show more detail leading to the DEACTIVATE transition:
+Enabling the **Microsoft-Windows-WLAN-AutoConfig** filter will show more detail leading to the DEACTIVATE transition:
-```
+<pre>
 [3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Associating to State: Authenticating
-[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
+[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
 [4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition START_AUTH  --> AUTHENTICATING  
 [0]0EF8.2EF4::‎08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PHY_STATE_CHANGE  
 [0]0EF8.2EF4::08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Change radio state for interface = Intel(R) Centrino(R) Ultimate-N 6300 AGN :  PHY = 3, software state = on , hardware state = off ) 
 [0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PORT_DOWN  
 [0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]FSM Current state Authenticating , event Upcall_Port_Down  
 [0] 0EF8.1174:: 08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received IHV PORT DOWN, peer 0x186472F64FD2 
-[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
+[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
- [2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
+ [2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
 [2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Authenticating to State: Roaming
-```
+</pre>
- The trail backwards reveals a Port Down notification. Port events indicate changes closer to the wireless hardware. The trail can be followed by continuing to see the origin of this indication.
+
-Below, the MSM is the native wifi stack (as seen in Figure 1). These are Windows native wifi drivers which talk to the wifi miniport driver(s). It is responsible for converting Wi-Fi (802.11) packets to 802.3 (Ethernet) so that TCPIP and other protocols and can use it.
+The trail backwards reveals a **Port Down** notification:
 \[0\] 0EF8.1174:: 08/28/17-13:24:29.705 \[Microsoft-Windows-WLAN-AutoConfig\]Received IHV PORT DOWN, peer 0x186472F64FD2
 Port events indicate changes closer to the wireless hardware. The trail can be followed by continuing to see the origin of this indication.
 Below, the MSM is the native wifi stack. These are Windows native wifi drivers which talk to the wifi miniport drivers. It is responsible for converting Wi-Fi (802.11) packets to 802.3 (Ethernet) so that TCPIP and other protocols and can use it.
 Enable trace filter for **[Microsoft-Windows-NWifi]:**
-```
+<pre>
 [3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Associating to State: Authenticating
-[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
+[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
 [4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x8A1514B62510 AuthMgr Transition START_AUTH  --> AUTHENTICATING  
 [0]0000.0000::‎08/28/17-13:24:29.127 [Microsoft-Windows-NWiFi]DisAssoc: 0x8A1514B62510 Reason: 0x4 
 [0]0EF8.2EF4::‎08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PHY_STATE_CHANGE  
@ -186,14 +219,108 @@ Associating to State: Authenticating
 [0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PORT_DOWN  
 [0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]FSM Current state Authenticating , event Upcall_Port_Down  
 [0] 0EF8.1174:: 08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received IHV PORT DOWN, peer 0x186472F64FD2 
-[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
+[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
- [2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
+ [2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
 [2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
-Authenticating to State: Roaming
+Authenticating to State: Roaming</pre>
 In the trace above, we see the line:
 <pre>
 [0]0000.0000::‎08/28/17-13:24:29.127 [Microsoft-Windows-NWiFi]DisAssoc: 0x8A1514B62510 Reason: 0x4</pre>
 This is followed by **PHY_STATE_CHANGE** and **PORT_DOWN** events due to a disassociate coming from the Access Point (AP), as an indication to deny the connection. This could be due to invalid credentials, connection parameters, loss of signal/roaming, and various other reasons for aborting a connection. The action here would be to examine the reason for the disassociate sent from the indicated AP MAC (8A:15:14:B6:25:10). This would be done by examining internal logging/tracing from the AP.
 ### Resources
 [802.11 Wireless Tools and Settings](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755892(v%3dws.10))<br>
 [Understanding 802.1X authentication for wireless networks](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759077%28v%3dws.10%29)<br>
 ## Example ETW capture
 <pre>
 C:\tmp>netsh trace start wireless_dbg capture=yes overwrite=yes maxsize=4096 tracefile=c:\tmp\wireless.etl
 Trace configuration:
 -------------------------------------------------------------------
 Status:             Running
 Trace File:         C:\tmp\wireless.etl
 Append:             Off
 Circular:           On
 Max Size:           4096 MB
 Report:             Off
 C:\tmp>netsh trace stop
 Correlating traces ... done
 Merging traces ... done
 Generating data collection ... done
 The trace file and additional troubleshooting information have been compiled as "c:\tmp\wireless.cab".
 File location = c:\tmp\wireless.etl
 Tracing session was successfully stopped.
 C:\tmp>netsh trace convert c:\tmp\wireless.etl
 Input file:  c:\tmp\wireless.etl
 Dump file:   c:\tmp\wireless.txt
 Dump format: TXT
 Report file: -
 Generating dump ... done
 C:\tmp>dir
 Volume in drive C has no label.
 Volume Serial Number is 58A8-7DE5
 Directory of C:\tmp
 01/09/2019  02:59 PM    [DIR]          .
 01/09/2019  02:59 PM    [DIR]          ..
 01/09/2019  02:59 PM         4,855,952 wireless.cab
 01/09/2019  02:56 PM         2,752,512 wireless.etl
 01/09/2019  02:59 PM         2,786,540 wireless.txt
               3 File(s)     10,395,004 bytes
               2 Dir(s)  46,648,332,288 bytes free
 </pre>
 ## Wifi filter file
 Copy and paste all the lines below and save them into a text file named "wifi.tat." Load the filter file into the TextAnalysisTool by clicking **File > Load Filters**.
 ```
 <?xml version="1.0" encoding="utf-8" standalone="yes"?>
 <TextAnalysisTool.NET version="2018-01-03" showOnlyFilteredLines="False">
  <filters>
    <filter enabled="n" excluding="n" description="" foreColor="000000" backColor="d3d3d3" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-OneX]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Unknown]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-EapHost]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[]***" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-Winsock-AFD]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-WinHttp]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-WebIO]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-Winsock-NameResolution]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-TCPIP]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-DNS-Client]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-NlaSvc]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-Iphlpsvc-Trace]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-DHCPv6-Client]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-Dhcp-Client]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-NCSI]" />
    <filter enabled="y" excluding="n" description="" backColor="90ee90" type="matches_text" case_sensitive="n" regex="n" text="AuthMgr Transition" />
    <filter enabled="y" excluding="n" description="" foreColor="0000ff" backColor="add8e6" type="matches_text" case_sensitive="n" regex="n" text="FSM transition" />
    <filter enabled="y" excluding="n" description="" foreColor="000000" backColor="dda0dd" type="matches_text" case_sensitive="n" regex="n" text="SecMgr transition" />
    <filter enabled="y" excluding="n" description="" foreColor="000000" backColor="f08080" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-NWiFi]" />
    <filter enabled="y" excluding="n" description="" foreColor="000000" backColor="ffb6c1" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-WiFiNetworkManager]" />
    <filter enabled="y" excluding="n" description="" foreColor="000000" backColor="dda0dd" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-WLAN-AutoConfig]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-NetworkProfile]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-WFP]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[Microsoft-Windows-WinINet]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="[MSNT_SystemTrace]" />
    <filter enabled="y" excluding="y" description="" foreColor="000000" backColor="ffffff" type="matches_text" case_sensitive="n" regex="n" text="Security]Capability" />
  </filters>
 </TextAnalysisTool.NET>
 ```
 The port down event is occurring due to a Disassociate coming Access Point as an indication to deny the connection. This could be due to invalid credentials, connection parameters, loss of signal/roaming, and various other reasons for aborting a connection. The action here would be to examine the reason for the disassociate sent from the indicated AP MAC (8A:15:14:B6:25:10). This would be done by examining internal logging/tracing from MAC device.
-### **Resources**
+## TextAnalysisTool example
 ### [802.11 Wireless Tools and Settings](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755892(v%3dws.10))
 ### [Understanding 802.1X authentication for wireless networks](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759077%28v%3dws.10%29)
 In the following example, the **View** settings are configured to **Show Only Filtered Lines**.
 ![TAT filter example](images/tat.png)
--- a/windows/client-management/data-collection-for-802-authentication.md
+++ b/windows/client-management/data-collection-for-802-authentication.md
@ -1,78 +1,72 @@
 ---
-title: Data Collection for Troubleshooting 802.1x Authentication
+title: Data collection for troubleshooting 802.1X authentication
-description: Data needed for reviewing 802.1x Authentication issues
+description: Data needed for reviewing 802.1X Authentication issues
-keywords: troubleshooting, data collection, data, 802.1x authentication, authentication, data
+keywords: troubleshooting, data collection, data, 802.1X authentication, authentication, data
 ms.prod: w10
 ms.mktglfcycl:
 ms.sitesec: library
 author: kaushika-msft
 ms.localizationpriority: medium
 ms.author: mikeblodge
 ms.date: 10/29/2018
 ---
-# Data Collection for Troubleshooting 802.1x Authentication
+# Data collection for troubleshooting 802.1X authentication
- 
+
 Use the following steps to collect data that can be used to troubleshoot 802.1X authentication issues. When you have collected data, see [Advanced troubleshooting 802.1X authentication](advanced-troubleshooting-802-authentication.md).
 ## Capture wireless/wired functionality logs
 Use the following steps to collect wireless and wired logs on Windows and Windows Server:
 1. Create C:\MSLOG on the client machine to store captured logs.
-2. Launch a command prompt as an administrator on the client machine, and run the following commands to start RAS trace log and Wireless/Wired scenario log.
+2. Launch an elevated command prompt on the client machine, and run the following commands to start a RAS trace log and a Wireless/Wired scenario log.
   **Wireless Windows 8.1 and Windows 10:**
   ```
   netsh ras set tracing * enabled
   netsh trace start scenario=wlan,wlan_wpp,wlan_dbg,wireless_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl
   ```
-
+   
-   **Wireless Windows 7 and Windows 8:**
+   <br>**Wireless Windows 7 and Windows 8:**
   ```
   netsh ras set tracing * enabled
   netsh trace start scenario=wlan,wlan_wpp,wlan_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl
   ```
-
+   
-   **Wired client, regardless of version**
+   <br>**Wired client, regardless of version**
   ```
   netsh ras set tracing * enabled
   netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_cli.etl
   ```
 3. Run the following command to enable CAPI2 logging:
   ```
   wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
   ```
 4. Create C:\MSLOG on the NPS to store captured logs.
-5. Launch a command prompt as an administrator on the NPS and run the following commands to start RAS trace log and Wireless/Wired scenario log:
+5. Launch an elevated command prompt on the NPS server and run the following commands to start a RAS trace log and a Wireless/Wired scenario log:
   **Windows Server 2012 R2, Windows Server 2016 wireless network:**
   ```
   netsh ras set tracing * enabled
   netsh trace start scenario=wlan,wlan_wpp,wlan_dbg,wireless_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl
   ```
-
+    
-   **Windows Server 2008 R2, Windows Server 2012 wireless network**
+   <br>**Windows Server 2008 R2, Windows Server 2012 wireless network**
   ```
   netsh ras set tracing * enabled
   netsh trace start scenario=wlan,wlan_wpp,wlan_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl
   ```
-   **Wired network**
+   <br>**Wired network**
   ```
   netsh ras set tracing * enabled
   netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_nps.etl
   ```
 6. Run the following command to enable CAPI2 logging:
   ```
    wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
  ```
@ -82,16 +76,16 @@ Use the following steps to collect wireless and wired logs on Windows and Window
   > When the mouse button is clicked, the cursor will blink in red while capturing a screen image.
   ```
-    psr /start /output c:\MSLOG\%computername%_psr.zip /maxsc 100
+   psr /start /output c:\MSLOG\%computername%_psr.zip /maxsc 100
   ```
 8. Repro the issue.
 9. Run the following command on the client PC to stop the PSR capturing:
   ```
-      psr /stop
+   psr /stop
   ```
-10. Run the following commands from the command prompt on the NPS.
+10. Run the following commands from the command prompt on the NPS server.
   - To stop RAS trace log and wireless scenario log:
@ -134,14 +128,14 @@ Use the following steps to collect wireless and wired logs on Windows and Window
      - C:\MSLOG\%COMPUTERNAME%_wireless_nps.cab (%COMPUTERNAME%_wired_nps.cab for wired scenario)
      - All log files and folders in %Systemroot%\Tracing
-## Save environmental and configuration information
+## Save environment and configuration information
 ### On Windows client
 1. Create C:\MSLOG to store captured logs.
 2. Launch a command prompt as an administrator.
 3. Run the following commands.
-   - Environmental information and Group Policies application status
+   - Environment information and Group Policy application status
   ```               
   gpresult /H C:\MSLOG\%COMPUTERNAME%_gpresult.htm
@ -299,7 +293,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window
 4. Save the logs stored in C:\MSLOG.
-### Certificate Authority (CA) (OPTIONAL)
+## Certification Authority (CA) (OPTIONAL)
 1. On a CA, launch a command prompt as an administrator. Create C:\MSLOG to store captured logs.
 2. Run the following commands.
@ -378,7 +372,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window
   ```powershell
   Import-Module ActiveDirectory
-   Get-ADObject -SearchBase ";CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"; -Filter \* -Properties \* | fl \* > C:\MSLOG\Get-ADObject_$Env:COMPUTERNAME.txt
+   Get-ADObject -SearchBase ";CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"; -Filter * -Properties * | fl * > C:\MSLOG\Get-ADObject_$Env:COMPUTERNAME.txt
   ```
 7. Save the following logs.
   - All files in C:\MSLOG on the CA
--- a/windows/client-management/images/capi.png
+++ b/windows/client-management/images/capi.png
--- a/windows/client-management/images/etl.png
+++ b/windows/client-management/images/etl.png
--- a/windows/client-management/images/eventviewer.png
+++ b/windows/client-management/images/eventviewer.png
--- a/windows/client-management/images/miniport.png
+++ b/windows/client-management/images/miniport.png
--- a/windows/client-management/images/msm.png
+++ b/windows/client-management/images/msm.png
--- a/windows/client-management/images/msmdetails.png
+++ b/windows/client-management/images/msmdetails.png
--- a/windows/client-management/images/nm-adapters.png
+++ b/windows/client-management/images/nm-adapters.png
--- a/windows/client-management/images/nm-start.png
+++ b/windows/client-management/images/nm-start.png
--- a/windows/client-management/images/tat.png
+++ b/windows/client-management/images/tat.png
--- a/windows/client-management/images/wcm.png
+++ b/windows/client-management/images/wcm.png
--- a/windows/client-management/images/wifi-stack.png
+++ b/windows/client-management/images/wifi-stack.png
--- a/windows/client-management/images/wlan.png
+++ b/windows/client-management/images/wlan.png
--- a/windows/client-management/troubleshoot-networking.md
+++ b/windows/client-management/troubleshoot-networking.md
@ -1,20 +1,34 @@
 ---
-title: Advanced troubleshooting for Windows networking issues
+title: Advanced troubleshooting for Windows networking
-description: Learn how to troubleshoot networking issues.
+description: Learn how to troubleshoot networking
 ms.prod: w10
 ms.sitesec: library
 ms.topic: troubleshooting
 author: kaushika-msft
 ms.localizationpriority: medium
 ms.author: kaushika
 ms.date: 
 ---
-# Advanced troubleshooting for Windows networking issues
+# Advanced troubleshooting for Windows networking
-In these topics, you will learn how to troubleshoot common problems related to Windows networking.
+The following topics are available to help you troubleshoot common problems related to Windows networking.
- [Advanced troubleshooting Wireless Network](advanced-troubleshooting-wireless-network-connectivity.md)
+- [Advanced troubleshooting for wireless network connectivity](advanced-troubleshooting-wireless-network-connectivity.md)
- [Data collection for troubleshooting 802.1x authentication](data-collection-for-802-authentication.md)
+- [Advanced troubleshooting 802.1X authentication](advanced-troubleshooting-802-authentication.md)
- [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md)
+    - [Data collection for troubleshooting 802.1X authentication](data-collection-for-802-authentication.md)
- [Advanced troubleshooting for TCP/IP issues](troubleshoot-tcpip.md)
+- [Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md)
    - [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md)
    - [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md)
    - [Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md)
    - [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md)
 ## Concepts and technical references
 [802.1X authenticated wired access overview](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831831(v=ws.11))<br>
 [802.1X authenticated wireless access overview](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994700(v%3dws.11))<br>
 [Wireless cccess deployment overview](https://docs.microsoft.com/windows-server/networking/core-network-guide/cncg/wireless/b-wireless-access-deploy-overview)<br>
 [TCP/IP technical reference](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd379473(v=ws.10))<br>
 [Network Monitor](https://docs.microsoft.com/windows/desktop/netmon2/network-monitor)<br>
 [RPC and the network](https://docs.microsoft.com/windows/desktop/rpc/rpc-and-the-network)<br>
 [How RPC works](https://docs.microsoft.com/windows/desktop/rpc/how-rpc-works)<br>
 [NPS reason codes](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v=ws.10))<br>
--- a/windows/client-management/troubleshoot-tcpip-netmon.md
+++ b/windows/client-management/troubleshoot-tcpip-netmon.md
@ -16,29 +16,27 @@ In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is
 To get started, [download and run NM34_x64.exe](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image.
-![A view of the properties for the adapter](images/tcp-ts-1.png)
+![Adapters](images/nm-adapters.png)
 When the driver gets hooked to the network interface card (NIC) during installation, the NIC is reinitialized, which might cause a brief network glitch.
 **To capture traffic**
-1. Click **Start** and enter **Netmon**.
+1. Run netmon in an elevated status by choosing Run as Administrator.
-2. For **netmon run command**,select **Run as administrator**.
+    ![Image of Start search results for Netmon](images/nm-start.png)
-    ![Image of Start search results for Netmon](images/tcp-ts-3.png)
+2. Network Monitor opens with all network adapters displayed. Select the network adapters where you want to capture traffic, click **New Capture**, and then click **Start**.
 3. Network Monitor opens with all network adapters displayed. Select **New Capture**, and then select **Start**.
    ![Image of the New Capture option on menu](images/tcp-ts-4.png)
-4. Reproduce the issue, and you will see that Network Monitor grabs the packets on the wire.
+3. Reproduce the issue, and you will see that Network Monitor grabs the packets on the wire.
    ![Frame summary of network packets](images/tcp-ts-5.png)
-5. Select **Stop**, and go to **File > Save as** to save the results. By default, the file will be saved as a ".cap" file.
+4. Select **Stop**, and go to **File > Save as** to save the results. By default, the file will be saved as a ".cap" file.
-The saved file has captured all the traffic that is flowing to and from the network adapters of this machine. However, your interest is only to look into the traffic/packets that are related to the specific connectivity problem you are facing. So you will need to filter the network capture to see only the related traffic. 
+The saved file has captured all the traffic that is flowing to and from the selected network adapters on the local computer. However, your interest is only to look into the traffic/packets that are related to the specific connectivity problem you are facing. So you will need to filter the network capture to see only the related traffic. 
 **Commonly used filters**
@ -56,5 +54,11 @@ The saved file has captured all the traffic that is flowing to and from the netw
 Network traces which are collected using the **netsh** commands built in to Windows are of the extension "ETL". However, these ETL files can be opened using Network Monitor for further analysis. 
 ## More information
-
+[Intro to Filtering with Network Monitor 3.0](https://blogs.technet.microsoft.com/netmon/2006/10/17/intro-to-filtering-with-network-monitor-3-0/)<br>
 [Network Monitor Filter Examples](https://blogs.technet.microsoft.com/rmilne/2016/08/11/network-monitor-filter-examples/)<br>
 [Network Monitor Wireless Filtering](https://social.technet.microsoft.com/wiki/contents/articles/1900.network-monitor-wireless-filtering.aspx)<br>
 [Network Monitor TCP Filtering](https://social.technet.microsoft.com/wiki/contents/articles/1134.network-monitor-tcp-filtering.aspx)<br>
 [Network Monitor Conversation Filtering](https://social.technet.microsoft.com/wiki/contents/articles/1829.network-monitor-conversation-filtering.aspx)<br>
 [How to setup and collect network capture using Network Monitor tool](https://blogs.technet.microsoft.com/msindiasupp/2011/08/10/how-to-setup-and-collect-network-capture-using-network-monitor-tool/)<br>
--- a/windows/client-management/windows-10-support-solutions.md
+++ b/windows/client-management/windows-10-support-solutions.md
@ -7,9 +7,30 @@ ms.sitesec: library
 ms.author: elizapo
 author: kaushika-msft
 ms.localizationpriority: medium
 ms.date: 11/08/2018
 ---
-# Top support solutions for Windows 10
+
 # Troubleshoot Windows 10 clients
 This section contains advanced troubleshooting topics and links to help you resolve issues with Windows 10 clients. Additional topics will be added as they become available.
 ## Troubleshooting support topics
 - [Advanced troubleshooting for Windows networking](troubleshoot-networking.md)<br>
    - [Advanced troubleshooting wireless network connectivity](advanced-troubleshooting-wireless-network-connectivity.md)<br>
    - [Advanced troubleshooting 802.1X authentication](advanced-troubleshooting-802-authentication.md)<br>
        - [Data collection for troubleshooting 802.1X authentication](data-collection-for-802-authentication.md)<br>
    - [Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md)<br>
    - [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md)<br>
    - [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md)<br>
    - [Troubleshoot port exhaustion](troubleshoot-tcpip-port-exhaust.md)<br>
    - [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md)<br>
 - [Advanced troubleshooting for Windows startup](troubleshoot-windows-startup.md)<br>
    - [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)<br>
    - [Advanced troubleshooting for Windows-based computer issues](troubleshoot-windows-freeze.md)<br>
    - [Advanced troubleshooting for stop errors or blue screen errors](troubleshoot-stop-errors.md)<br>
    - [Advanced troubleshooting for stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md)<br>
 ## Windows 10 update history
 Microsoft regularly releases both updates and solutions for Windows 10. To ensure your computers can receive future updates, including security updates, it's important to keep them updated. Check out the following links for a complete list of released updates:
@ -24,6 +45,7 @@ Microsoft regularly releases both updates and solutions for Windows 10. To ensur
 These are the top Microsoft Support solutions for the most common issues experienced when using Windows 10 in an enterprise or IT pro environment. The links below include links to KB articles, updates, and library articles.
 ## Solutions related to installing Windows Updates
 - [How does Windows Update work](https://docs.microsoft.com/en-us/windows/deployment/update/how-windows-update-works)
 - [Windows Update log files](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-logs)
 - [Windows Update troubleshooting](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-troubleshooting)
@ -35,7 +57,7 @@ These are the top Microsoft Support solutions for the most common issues experie
 - [Quick Fixes](https://docs.microsoft.com/en-us/windows/deployment/upgrade/quick-fixes)
 - [Troubleshooting upgrade errors](https://docs.microsoft.com/en-us/windows/deployment/upgrade/troubleshoot-upgrade-errors)
 - [Resolution procedures](https://docs.microsoft.com/en-us/windows/deployment/upgrade/resolution-procedures)
- ["0xc1800118" error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/en-in/help/3194588/0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus)
+- [0xc1800118 error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/en-in/help/3194588/0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus)
 - [0xC1900101 error when Windows 10 upgrade fails after the second system restart](https://support.microsoft.com/en-in/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system)
 ## Solutions related to BitLocker