deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 03:43:39 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into fr-meta-bitlocker

Browse Source
This commit is contained in:
Frank Rojas
2022-11-10 20:59:15 -05:00
parent daa7000a3e b9ea9c0bb3
commit 837582efe8
68 changed files with 258 additions and 622 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/client-management/mdm/firewall-csp.md
View File

@ -25,8 +25,6 @@ The table below shows the applicability of Windows:
The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP was added Windows 10, version 1709.
The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP was added Windows 10, version 1709.
Firewall rules in the FirewallRules section must be wrapped in an Atomic block in SyncML, either individually or collectively.
For detailed information on some of the fields below, see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](/openspecs/windows_protocols/ms-winerrata/6521c5c4-1f76-4003-9ade-5cccfc27c8ac).

4
windows/configuration/TOC.yml
View File

@ -37,7 +37,7 @@
- name: Use mobile device management (MDM)
href: customize-windows-10-start-screens-by-using-mobile-device-management.md
- name: Troubleshoot Start menu errors
href: start-layout-troubleshoot.md
href: /troubleshoot/windows-client/shell-experience/troubleshoot-start-menu-errors
- name: Changes to Start policies in Windows 10
href: changes-to-start-policies-in-windows-10.md
- name: Accessibility settings
@ -89,7 +89,7 @@
- name: Use MDM Bridge WMI Provider to create a Windows client kiosk
href: kiosk-mdm-bridge.md
- name: Troubleshoot kiosk mode issues
href: kiosk-troubleshoot.md
href: /troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting
- name: Configure multi-user and guest devices
items:

3
windows/configuration/kiosk-additional-reference.md
View File

@ -32,5 +32,4 @@ Topic | Description
[Use AppLocker to create a Windows client kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a Windows client kiosk device running Enterprise or Education so that users can only run a few specific apps.
[Use Shell Launcher to create a Windows client kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows application as the user interface.
[Use MDM Bridge WMI Provider to create a Windows client kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class.
[Troubleshoot kiosk mode issues](kiosk-troubleshoot.md) | Tips for troubleshooting multi-app kiosk configuration.
[Troubleshoot kiosk mode issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting) | Tips for troubleshooting multi-app kiosk configuration.

2
windows/configuration/kiosk-prepare.md
View File

@ -206,7 +206,7 @@ For a more secure kiosk experience, we recommend that you make the following con
## Enable logging
Logs can help you [troubleshoot issues](./kiosk-troubleshoot.md) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default.
Logs can help you [troubleshoot issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default.
:::image type="content" source="images/enable-assigned-access-log.png" alt-text="On Windows client, open Event Viewer, right-click Operational, select enable log to turn on logging to help troubleshoot.":::

74
windows/configuration/kiosk-troubleshoot.md
View File

@ -1,74 +0,0 @@
---
title: Troubleshoot kiosk mode issues (Windows 10/11)
description: Learn how to troubleshoot single-app and multi-app kiosk configurations, as well as common problems like sign-in issues.
ms.reviewer: sybruckm
manager: aaroncz
ms.prod: windows-client
author: lizgt2000
ms.localizationpriority: medium
ms.author: lizlong
ms.topic: article
ms.technology: itpro-configure
---
# Troubleshoot kiosk mode issues
**Applies to**
- Windows 10
- Windows 11
## Single-app kiosk issues
>[!TIP]
>We recommend that you [enable logging for kiosk issues](kiosk-prepare.md#enable-logging). For some failures, events are only captured once. If you enable logging after an issue occurs with your kiosk, the logs may not capture those one-time events. In that case, prepare a new kiosk environment (such as a [virtual machine (VM)](kiosk-prepare.md#testing-your-kiosk-in-a-virtual-machine-vm)), set up your kiosk account and configuration, and try to reproduce the problem.
### Sign-in issues
1. Verify that User Account Control (UAC) is turned on.
2. Check the Event Viewer logs for sign-in issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**.
### Automatic logon issues
Check the Event Viewer logs for auto logon issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**.
## Multi-app kiosk issues
> [!NOTE]
> [!INCLUDE [Multi-app kiosk mode not supported on Windows 11](./includes/multi-app-kiosk-support-windows11.md)]
### Unexpected results
For example:
- Start is not launched in full-screen
- Blocked hotkeys are allowed
- Task Manager, Cortana, or Settings can be launched
- Start layout has more apps than expected
**Troubleshooting steps**
1. [Verify that the provisioning package is applied successfully](kiosk-validate.md).
2. Verify that the account (config) is mapped to a profile in the configuration XML file.
3. Verify that the configuration XML file is authored and formatted correctly. Correct any configuration errors, then create and apply a new provisioning package. Sign out and sign in again to check the new configuration.
4. Additional logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default.
![Event Viewer, right-click Operational, select enable log.](images/enable-assigned-access-log.png)
### Automatic logon issues
Check the Event Viewer logs for auto logon issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**.
### Apps configured in AllowedList are blocked
1. Ensure the account is mapped to the correct profile and that the apps are specific for that profile.
2. Check the EventViewer logs for Applocker and AppxDeployment (under **Application and Services Logs\Microsoft\Windows**).
### Start layout not as expected
- Make sure the Start layout is authored correctly. Ensure that the attributes **Size**, **Row**, and **Column** are specified for each application and are valid.
- Check if the apps included in the Start layout are installed for the assigned access user.
- Check if the shortcut exists on the target device, if a desktop app is missing on Start.

329
windows/configuration/start-layout-troubleshoot.md
View File

@ -1,329 +0,0 @@
---
title: Troubleshoot Start menu errors
description: Learn how to troubleshoot common Start menu errors in Windows 10. For example, learn to troubleshoot errors related to deployment, crashes, and performance.
ms.prod: windows-client
ms.author: lizlong
author: lizgt2000
ms.localizationpriority: medium
ms.reviewer:
manager: aaroncz
ms.topic: troubleshooting
ms.technology: itpro-configure
---
# Troubleshoot Start menu errors
> [!div class="nextstepaction"]
> <a href="https://vsa.services.microsoft.com/v1.0/?partnerId=7d74cf73-5217-4008-833f-87a1a278f2cb&flowId=DMC&initialQuery=31806233" target='_blank'>Try our Virtual Agent</a> - It can help you quickly identify and fix common Start menu issues.
Start failures can be organized into these categories:
- **Deployment/Install issues** - Easiest to identify but difficult to recover. This failure is consistent and usually permanent. Reset, restore from backup, or rollback to recover.
- **Performance issues** - More common with older hardware, low-powered machines. Symptoms include: High CPU utilization, disk contention, memory resources. This makes Start very slow to respond. Behavior is intermittent depending on available resources.
- **Crashes** - Also easy to identify. Crashes in Shell Experience Host or related can be found in System or Application event logs. This can be a code defect or related to missing or altered permissions to files or registry keys by a program or incorrect security tightening configurations. Determining permissions issues can be time consuming but a [SysInternals tool called Procmon](/sysinternals/downloads/procmon) will show **Access Denied**. The other option is to get a dump of the process when it crashes and depending on comfort level, review the dump in the debugger, or have support review the data.
- **Hangs** - in Shell Experience host or related. These are the hardest issues to identify as there are few events logged, but behavior is typically intermittent or recovers with a reboot. If a background application or service hangs, Start won't have resources to respond in time. Clean boot may help identify if the issue is related to additional software. Procmon is also useful in this scenario.
- **Other issues** - Customization, domain policies, deployment issues.
## Basic troubleshooting
When troubleshooting basic Start issues (and for the most part, all other Windows apps), there are a few things to check if they aren't working as expected. For issues where the Start menu or subcomponent isn't working, you can do some quick tests to narrow down where the issue may reside.
### Check the OS and update version
- Is the system running the latest Feature and Cumulative Monthly update?
- Did the issue start immediately after an update? Ways to check:
- PowerShell:[System.Environment]::OSVersion.Version
- WinVer from CMD.exe
### Check if Start is installed
- If Start fails immediately after a feature update, on thing to check is if the App package failed to install successfully.
- If Start was working and just fails intermittently, it's likely that Start is installed correctly, but the issue occurs downstream. The way to check for this problem is to look for output from these two PowerShell commands:
- `get-AppXPackage -Name Microsoft.Windows.ShellExperienceHost`
- `get-AppXPackage -Name Microsoft.Windows.Cortana`
:::image type="content" alt-text="Example of output from cmdlets." source="images/start-ts-1.png" lightbox="images/start-ts-1.png":::
Failure messages will appear if they aren't installed
- If Start isn't installed, then the fastest resolution is to revert to a known good configuration. This can be rolling back the update, resetting the PC to defaults (where there's a choice to save to delete user data), or restoring from backup. No method is supported to install Start Appx files. The results are often problematic and unreliable.
### Check if Start is running
If either component is failing to start on boot, reviewing the event logs for errors or crashes during boot may pin point the problem. Booting with MSCONFIG and using a selective or diagnostic startup option will eliminate and/or identify possible interference from additional applications.
- `get-process -name shellexperiencehost`
- `get-process -name searchui`
If it's installed but not running, test booting into safe mode or use MSCONFIG to eliminate third-party or additional drivers and applications.
### Check whether the system a clean install or upgrade
- Is this system an upgrade or clean install?
- Run `test-path "$env:windir\panther\miglog.xml"`
- If that file doesn't exist, the system is a clean install.
- Upgrade issues can be found by running `test-path "$env:windir\panther\miglog.xml"`
### Check if Start is registered or activated
- Export the following Event log to CSV and do a keyword search in a text editor or spreadsheet:
- Microsoft-Windows-TWinUI/Operational for Microsoft.Windows.ShellExperienceHost or Microsoft.Windows.Cortana
- "Package wasn't found"
- "Invalid value for registry"
- "Element not found"
- "Package couldn't be registered"
If these events are found, Start isn't activated correctly. Each event will have more detail in the description and should be investigated further. Event messages can vary.
### Other things to consider
When did the problem start?
- Top issues for Start menu failure are triggered
- After an update
- After installation of an application
- After joining a domain or applying a domain policy
- Many of those issues are found to be
- Permission changes on Registry keys or folders
- Start or related component crashes or hangs
- Customization failure
To narrow down the problem further, it's good to note:
- What is the install background?
- Was this a deployment, install from media, other
- Using customizations?
- DISM
- Group Policy or MDM
- copyprofile
- Sysprep
- Other
- Domain-joined
- Group policy settings that restrict access or permissions to folders or registry keys can cause issues with Start performance.
- Some Group Policies intended for Windows 7 or older have been known to cause issues with Start
- Untested Start Menu customizations can cause unexpected behavior by typically not complete Start failures.
- Is the environment virtualized?
- VMware
- Citrix
- Other
## Check Event logs that record Start Issues:
- System Event log
- Application Event log
- Microsoft/Windows/Shell-Core*
- Microsoft/Windows/Apps/
- Microsoft-Windows-TWinUI*
- Microsoft/Windows/AppReadiness*
- Microsoft/Windows/AppXDeployment*
- Microsoft-Windows-PushNotification-Platform/Operational
- Microsoft-Windows-CoreApplication/Operational
- Microsoft-Windows-ShellCommon-StartLayoutPopulation*
- Microsoft-Windows-CloudStore*
- Check for crashes that may be related to Start (explorer.exe, taskbar, and so on)
- Application log event 1000, 1001
- Check WER reports
- C:\ProgramData\Microsoft\Windows\WER\ReportArchive\
- C:\ProgramData\Micrt\Windowsosof\WER\ReportQueue\
If there is a component of Start that is consistently crashing, capture a dump that can be reviewed by Microsoft Support.
## Common errors and mitigation
The following list provides information about common errors you might run into with Start Menu, as well as steps to help you mitigate them.
### Symptom: Start Menu doesn't respond on Windows 2012 R2, Windows 10, or Windows 2016
**Cause**: Background Tasks Infrastructure Service (BrokerInfrastructure) service isn't started.
**Resolution**: Ensure that Background Tasks Infrastructure Service is set to automatic startup in Services MMC.
If Background Tasks Infrastructure Service fails to start, verify that the Power Dependency Coordinator Driver (PDC) driver and registry key aren't disabled or deleted. If either are missing, restore from backup or the installation media.
To verify the PDC Service, run `C:\>sc query pdc` in a command prompt. The results will be similar to the following:
>SERVICE_NAME: pdc
>TYPE : 1 KERNEL_DRIVER
>STATE : 4 RUNNING
> (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
>WIN32_EXIT_CODE : 0 (0x0)
>SERVICE_EXIT_CODE : 0 (0x0)
>CHECKPOINT : 0x0
>WAIT_HINT : 0x0
The PDC service uses pdc.sys located in the %WinDir%\system32\drivers.
The PDC registry key is:
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pdc`
**Description**="@%SystemRoot%\\system32\\drivers\\pdc.sys,-101"
**DisplayName**="@%SystemRoot%\\system32\\drivers\\pdc.sys,-100"
**ErrorControl**=dword:00000003
**Group**="Boot Bus Extender"
**ImagePath**=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,70,00,64,00,63,00,2e,00,73,00,79,\
00,73,00,00,00
**Start**=dword:00000000
**Type**=dword:00000001
In addition to the listed dependencies for the service, Background Tasks Infrastructure Service requires the Power Dependency Coordinator Driver to be loaded. If the PDC doesn't load at boot, Background Tasks Infrastructure Service will fail and affect Start Menu.
Events for both PDC and Background Tasks Infrastructure Service will be recorded in the event logs. PDC shouldn't be disabled or deleted. BrokerInfrastructure is an automatic service. This Service is required for all these operating Systems as running to have a stable Start Menu.
>[!NOTE]
>You cannot stop this automatic service when machine is running (C:\windows\system32\svchost.exe -k DcomLaunch -p).
### Symptom: After upgrading from 1511 to 1607 versions of Windows, the Group Policy "Remove All Programs list from the Start Menu" may not work
**Cause**: There was a change in the All Apps list between Windows 10, versions 1511 and 1607. These changes mean the original Group Policy and corresponding registry key no longer apply.
**Resolution**: This issue was resolved in the June 2017 updates. Update Windows 10, version 1607, to the latest cumulative or feature updates.
>[!NOTE]
>When the Group Policy is enabled, the desired behavior also needs to be selected. By default, it is set to **None**.
### Symptom: Application tiles like Alarm, Calculator, and Edge are missing from Start menu and the Settings app fails to open on Windows 10, version 1709 when a local user profile is deleted
:::image type="content" alt-text="Screenshots that show download icons on app tiles and missing app tiles." source="images/start-ts-2.png" lightbox="images/start-ts-2.png":::
**Cause**: This issue is known. The first-time sign-in experience isn't detected and doesn't trigger the install of some apps.
**Resolution**: This issue has been fixed for Windows 10, version 1709 in [KB 4089848](https://support.microsoft.com/help/4089848) March 22, 2018—KB4089848 (OS Build 16299.334)
### Symptom: When attempting to customize Start Menu layout, the customizations don't apply or results aren't expected
**Cause**: There are two main reasons for this issue:
- Incorrect format: Editing the xml file incorrectly by adding an extra space or spaces, entering a bad character, or saving in the wrong format.
- To tell if the format is incorrect, check for **Event ID: 22** in the "Applications and Services\Microsoft\Windows\ShellCommon-StartLayoutPopulation\Operational" log.
- Event ID 22 is logged when the xml is malformed, meaning the specified file simply isnt valid xml.
- When editing the xml file, it should be saved in UTF-8 format.
- Unexpected information: This occurs when possibly trying to add a tile via an unexpected or undocumented method.
- **Event ID: 64** is logged when the xml is valid but has unexpected values.
- For example: The following error occurred while parsing a layout xml file: The attribute 'LayoutCustomizationRestrictiontype' on the element '{http://schemas.microsoft.com/Start/2014/LayoutModification}DefaultLayoutOverride' is not defined in the DTD/Schema.
XML files can and should be tested locally on a Hyper-V or other virtual machine before deployment or application by Group Policy
### Symptom: Start menu no longer works after a PC is refreshed using F12 during startup
**Description**: If a user is having problems with a PC, it can be refreshed, reset, or restored. Refreshing the PC is a beneficial option because it maintains personal files and settings. When users have trouble starting the PC, "Change PC settings" in Settings is not accessible. So, to access the System Refresh, users may use the F12 key at startup. Refreshing the PC finishes, but Start Menu is not accessible.
**Cause**: This issue is known and was resolved in a cumulative update released August 30, 2018.
**Resolution**: Install corrective updates; a fix is included in the [September 11, 2018-KB4457142 release](https://support.microsoft.com/help/4457142).
### Symptom: The All Apps list is missing from Start menu
**Cause**: “Remove All Programs list from the Start menu" Group Policy is enabled.
**Resolution**: Disable the “Remove All Programs list from the Start menu" Group Policy.
### Symptom: Tiles are missing from the Start Menu when using Windows 10, version 1703 or older, Windows Server 2016, and Roaming User Profiles with a Start layout
**Description**: There are two different Start Menu issues in Windows 10:
- Administrator configured tiles in the start layout fail to roam.
- User-initiated changes to the start layout are not roamed.
Specifically, behaviors include
- Applications (apps or icons) pinned to the start menu are missing.
- Entire tile window disappears.
- The start button fails to respond.
- If a new roaming user is created, the first sign-in appears normal, but on subsequent sign-ins, tiles are missing.
![Example of a working layout.](images/start-ts-3.png)
*Working layout on first sign-in of a new roaming user profile*
![Example of a failing layout.](images/start-ts-4.png)
*Failing layout on subsequent sign-ins*
**Cause**: A timing issue exists where the Start Menu is ready before the data is pulled locally from the Roaming User Profile. The issue does not occur on first logons of a new roaming user, as the code path is different and slower.
**Resolution**: This issue has been resolved in Windows 10, versions 1703 and 1607, cumulative updates [as of March 2017](https://support.microsoft.com/help/4013429).
### Symptom: Start Menu layout customizations are lost after upgrading to Windows 10, version 1703
**Description**:
Before the upgrade:
![Example of Start screen with customizations applied.](images/start-ts-5.jpg)
After the upgrade the user pinned tiles are missing:
![Example of Start screen with previously pinned tiles missing.](images/start-ts-6.png)
Additionally, users may see blank tiles if sign-in was attempted without network connectivity.
![Example of blank tiles.](images/start-ts-7.png)
**Resolution**: This issue was fixed in the [October 2017 update](https://support.microsoft.com/en-us/help/4041676).
### Symptom: Tiles are missing after upgrade from Windows 10, version 1607 to version 1709 for users with Roaming User Profiles (RUP) enabled and managed Start Menu layout with partial lockdown
**Resolution** The April 2018 LCU must be applied to Windows 10, version 1709 before a user logs on.
### Symptom: Start Menu and/or Taskbar layout customizations are not applied if CopyProfile option is used in an answer file during Sysprep
**Resolution**: CopyProfile is no longer supported when attempting to customize Start Menu or taskbar with a layoutmodification.xml.
### Symptom: Start Menu issues with Tile Data Layer corruption
**Cause**: Windows 10, version 1507 through the release of version 1607 uses a database for the Tile image information. This is called the Tile Data Layer database. (The feature was deprecated in [Windows 10 1703](/windows/deployment/planning/windows-10-removed-features).)
**Resolution** There are steps you can take to fix the icons, first is to confirm that is the issue that needs to be addressed.
1. The App or Apps work fine when you select the tiles.
2. The tiles are blank, have a generic placeholder icon, have the wrong or strange title information.
3. The app is missing, but listed as installed via PowerShell and works if you launch via URI.
- Example: `windows-feedback://`
4. In some cases, Start can be blank, and Action Center and Cortana do not launch.
>[!Note]
>Corruption recovery removes any manual pins from Start. Apps should still be visible, but youll need to re-pin any secondary tiles and/or pin app tiles to the main Start view. Aps that you have installed that are completely missing from “all apps” is unexpected, however. That implies the re-registration didnt work.
Open a command prompt, and run the following command:
```console
C:\Windows\System32\tdlrecover.exe -reregister -resetlayout -resetcache
```
Although a reboot is not required, it may help clear up any residual issues after the command is run.
### Symptoms: Start Menu and Apps cannot start after upgrade to Windows 10 version 1809 when Symantec Endpoint Protection is installed
**Description**: Start menu, Search, and Apps do not start after you upgrade a computer running Windows 7 that has Symantec Endpoint Protection installed to Windows 10 version 1809.
**Cause**: This problem occurs because of a failure to load sysfer.dll. During upgrade, the setup process does not set the privilege group "All Application Packages" on sysfer.dll and other Symantec modules.
**Resolution** This issue was fixed by the Windows Cumulative Update that were released on December 5, 2018—KB4469342 (OS Build 17763.168).
If you have already encountered this issue, use one of the following two options to fix the issue:
**Option 1** Remove sysfer.dll from system32 folder and copy it back. Windows will set privilege automatically.
**Option 2**
1. Locate the directory C:\Windows\system32.
2. Right-click on sysfer.dll and choose **Properties**.
3. Switch to the **Security** tab.
4. Confirm that **All Application Packages** group is missing.
5. Select **Edit**, and then select **Add** to add the group.
6. Test Start and other Apps.

2
windows/deployment/planning/windows-10-deprecated-features.md
View File

@ -75,7 +75,7 @@ The features in this article are no longer being actively developed, and might b
|Windows Hello for Business deployment that uses Microsoft Configuration Manager |Windows Server 2016 Active Directory Federation Services - Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 |
|Windows PowerShell 2.0 | Applications and components should be migrated to PowerShell 5.0+. | 1709 |
|Apndatabase.xml | Apndatabase.xml is being replaced by the COSA database. Therefore, some constructs will no longer function. This replacement includes Hardware ID, incoming SMS messaging rules in mobile apps, a list of privileged apps in mobile apps, autoconnect order, APN parser, and CDMAProvider ID. | 1703 |
|Tile Data Layer | The [Tile Data Layer](/windows/configuration/start-layout-troubleshoot#symptom-start-menu-issues-with-tile-data-layer-corruption) database stopped development in Windows 10, version 1703. | 1703 |
|Tile Data Layer | The [Tile Data Layer](/troubleshoot/windows-client/shell-experience/troubleshoot-start-menu-errors#symptom-start-menu-issues-with-tile-data-layer-corruption) database stopped development in Windows 10, version 1703. | 1703 |
|TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 |
|TCPChimney | TCP Chimney Offload is no longer being developed. See [Performance Tuning Network Adapters](/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 |
|IPsec Task Offload| [IPsec Task Offload](/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and shouldn't be used. | 1703 |

25
windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
View File

@ -1,9 +1,9 @@
---
title: Privacy
description: This article provides details about the data platform and privacy compliance for Autopatch
ms.date: 05/30/2022
ms.prod: windows-client
ms.technology: itpro-updates
description: This article provides details about the data platform and privacy compliance for Autopatch
ms.date: 11/08/2022
ms.prod: w11
ms.technology: windows
ms.topic: reference
ms.localizationpriority: medium
author: tiaraquan
@ -40,9 +40,12 @@ Processor duties of Windows Autopatch include ensuring appropriate confidentiali
## Windows Autopatch data storage and staff location
Windows Autopatch stores its data in the Azure data centers in the United States.
Windows Autopatch stores its data in the Azure data centers based on your data residency. For more information, see [Microsoft 365 data center locations](/microsoft-365/enterprise/o365-data-locations).
Personal data obtained by Windows Autopatch and other services are required to keep the service operational. If a device is removed from Windows Autopatch, we keep personal data for a maximum of 30 days. For more information on data retention, see [Data retention, deletion, and destruction in Microsoft 365](/compliance/assurance/assurance-data-retention-deletion-and-destruction-overview).
> [!IMPORTANT]
> <ul><li>As of November 8, 2022, only <b>new</b> Windows Autopatch customers (EU, UK, Africa, Middle East) will have their data live in the European data centers.</li><li>Existing European Union (EU) Windows Autopatch customers will move from the North American data centers to the European data centers by the end of 2022.</li><li>If you're an existing Windows Autopatch customer, but <b>not</b> part of the European Union, data migration from North America to your respective data residency will occur next year.</li></ul>
Data obtained by Windows Autopatch and other services are required to keep the service operational. If a device is removed from Windows Autopatch, we keep data for a maximum of 30 days. For more information on data retention, see [Data retention, deletion, and destruction in Microsoft 365](/compliance/assurance/assurance-data-retention-deletion-and-destruction-overview).
Windows Autopatch Service Engineering Team is in the United States, India and Romania.
@ -54,9 +57,9 @@ The enhanced diagnostic data setting includes more detailed information about th
The diagnostic data terminology will change in future versions of Windows. Windows Autopatch is committed to processing only the data that the service needs. The diagnostic level will change to **Optional**, but Windows Autopatch will implement the limited diagnostic policies to fine-tune diagnostic data collection required for the service. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection).
Windows Autopatch only processes and stores system-level data from Windows 10 optional diagnostic data that originates from enrolled devices such as application and device reliability, and performance information. Windows Autopatch doesn't process and store customers' personal data such as chat and browser history, voice, text, or speech data.
Windows Autopatch only processes and stores system-level data from Windows 10 optional diagnostic data that originates from enrolled devices such as application and device reliability, and performance information. Windows Autopatch doesn't process and store customers' data such as chat and browser history, voice, text, or speech data.
For more information about the diagnostic data collection of Microsoft Windows 10, see the [Where we store and process personal data](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) section of the Microsoft Privacy Statement.
For more information about the diagnostic data collection of Microsoft Windows 10, see the [Where we store and process data](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) section of the Microsoft Privacy Statement.
## Tenant access
@ -107,11 +110,11 @@ Changes to the types of data gathered and where it's stored are considered a mat
## Data subject requests
Windows Autopatch follows General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) privacy regulations, which give data subjects specific rights to their personal data.
Windows Autopatch follows General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) privacy regulations, which give data subjects specific rights to their data.
These rights include:
- Obtaining copies of personal data
- Obtaining copies of data
- Requesting corrections to it
- Restricting the processing of it
- Deleting it
@ -123,7 +126,7 @@ To exercise data subject requests on data collected by the Windows Autopatch cas
| Data subject requests | Description |
| ------ | ------ |
| Data from Windows Autopatch support requests | Your IT administrator can request deletion, or extraction of personal data related support requests by submitting a report request at the [admin center](https://aka.ms/memadmin). <br><br> Provide the following information: <ul><li>Request type: Change request</li><li>Category: Security</li><li>Subcategory: Other</li><li>Description: Provide the relevant device names or user names.</li></ul> |
| Data from Windows Autopatch support requests | Your IT administrator can request deletion, or extraction of data related support requests by submitting a report request at the [admin center](https://aka.ms/memadmin). <br><br> Provide the following information: <ul><li>Request type: Change request</li><li>Category: Security</li><li>Subcategory: Other</li><li>Description: Provide the relevant device names or user names.</li></ul> |
For DSRs from other products related to the service, see the following articles:

2
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -315,7 +315,7 @@ Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
Instructions are given below for how to disable Virtualization-Based Security (VBS) entirely, rather than just Windows Defender Credential Guard. Disabling Virtualization-Based Security will automatically disable Windows Defender Credential Guard and other features that rely on VBS.
> [!IMPORANT]
> [!IMPORTANT]
> Other security features in addition to Windows Defender Credential Guard rely on Virtualization-Based Security in order to run. Disabling Virtualization-Based Security may have unintended side effects.
1. If Group Policy was used to enable Virtualization-Based Security, set the Group Policy setting that was used to enable it (**Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**) to "Disabled".

16
windows/security/identity-protection/hello-for-business/hello-faq.yml
View File

@ -63,7 +63,19 @@ sections:
answer: |
When using Windows Hello for Business, the PIN isn't a symmetric key, whereas the password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key.
The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
- question: What's a container?
answer: |
In the context of Windows Hello for Business, it's shorthand for a logical grouping of key material or data. Windows Hello uses a single container that holds user key material for personal accounts, including key material associated with the user's Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account.
The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD.
Note that there are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials of Windows Hello stores, are protected without the creation of actual containers or folders.
The container contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container. Each logical container holds one or more sets of keys.\
:::image type="content" source="images/passport-fig3-logicalcontainer.png" alt-text="logical container with set of keys":::
- question: How do I delete a Windows Hello for Business container on a device?
answer: |
You can effectively disable Windows Hello for Business by launching `certutil.exe -deleteHelloContainer` on the end device under a user account, and then restarting the device.
- question: How does Windows Hello for Business work with Azure AD registered devices?
answer: |
A user will be prompted to set up a Windows Hello for Business key on an Azure AD registered devices if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using their exiting gestures.
@ -248,7 +260,7 @@ sections:
Windows Hello for Business works with any third-party federation servers that support the protocols used during the provisioning experience.<br><br>
| Protocol | Description |
| :---: | :--- |
| :--- | :--- |
| [[MS-KPP]: Key Provisioning Protocol](/openspecs/windows_protocols/ms-kpp/25ff7bd8-50e3-4769-af23-bcfd0b4d4567) | Specifies the Key Provisioning Protocol, which defines a mechanism for a client to register a set of cryptographic keys on a user and device pair. |
| [[MS-OAPX]: OAuth 2.0 Protocol Extensions](/openspecs/windows_protocols/ms-oapx/7612efd4-f4c8-43c3-aed6-f5c5ce359da2)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and log in hints. |
| [[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients](/openspecs/windows_protocols/ms-oapxbc/2f7d8875-0383-4058-956d-2fb216b44706) | Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to RFC6749 (the OAuth 2.0 Authorization Framework) that allow a broker client to obtain access tokens on behalf of calling clients. |

7
windows/security/identity-protection/hello-for-business/hello-how-it-works.md
View File

@ -10,14 +10,13 @@ ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 05/05/2018
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
ms.technology: itpro-security
---
# How Windows Hello for Business works in Windows Devices
Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory-joined, Hybrid Azure Active Directory-joined, or Azure AD registered devices. Windows Hello for Business also works for domain joined devices.
Windows Hello for Business is a two-factor credential that is a more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory-joined, Hybrid Azure Active Directory-joined, or Azure AD registered devices. Windows Hello for Business also works for domain joined devices.
Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features.
> [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8]

16
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
View File

@ -10,15 +10,21 @@ ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 11/1/2022
appliesto:
-<b>Windows 10, version 21H2 and later</b>
-<b>Windows 11</b>
-<b>Hybrid deployment</b>
-<b>Hybrid cloud Kerberos trust</b>
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10, version 21H2 and later</a>
ms.technology: itpro-security
---
# Hybrid cloud Kerberos trust deployment
This document describes Windows Hello for Business functionalities or scenarios that apply to:\
**Deployment type:** [hybrid](hello-how-it-works-technology.md#hybrid-deployment)\
**Trust type:** [cloud Kerberos trust](hello-hybrid-cloud-kerberos-trust.md)\
**Device registration type:** [Azure AD join](hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](hello-how-it-works-technology.md#hybrid-azure-ad-join)
<br>
---
Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario.
## Introduction to cloud Kerberos trust

88
windows/security/threat-protection/windows-firewall/best-practices-configuring.md
View File

@ -3,6 +3,7 @@ title: Best practices for configuring Windows Defender Firewall
description: Learn about best practices for configuring Windows Defender Firewall
keywords: firewall, best practices, security, network security, network, rules, filters,
ms.prod: windows-client
ms.date: 11/09/2022
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@ -17,22 +18,12 @@ ms.collection:
ms.topic: article
ms.technology: itpro-security
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
-<b>Windows 10 and later</b>
-<b>Windows Server 2016 and later</b>
---
# Best practices for configuring Windows Defender Firewall
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
Windows Defender Firewall with Advanced Security provides host-based, two-way
network traffic filtering and blocks unauthorized network traffic flowing into
or out of the local device. Configuring your Windows Firewall based on the
@ -40,8 +31,8 @@ following best practices can help you optimize protection for devices in your
network. These recommendations cover a wide range of deployments including home
networks and enterprise desktop/server systems.
To open Windows Firewall, go to the **Start** menu, select **Run**,
type **WF.msc**, and then select **OK**. See also [Open Windows Firewall](./open-windows-firewall-with-advanced-security.md).
To open Windows Firewall, go to the **Start** menu, select **Run**,
type **WF.msc**, and then select **OK**. See also [Open Windows Firewall](./open-windows-firewall-with-advanced-security.md).
## Keep default settings
@ -51,18 +42,14 @@ When you open the Windows Defender Firewall for the first time, you can see the
*Figure 1: Windows Defender Firewall*
1. **Domain profile**: Used for networks where there's a system of account authentication against a domain controller (DC), such as an Azure Active Directory DC
2. **Private profile**: Designed for and best used
in private networks such as a home network
3. **Public profile**: Designed with higher security in mind
for public networks like Wi-Fi hotspots, coffee shops, airports, hotels, or stores
1. **Domain profile**: Used for networks where there's a system of account authentication against an Active Directory domain controller
1. **Private profile**: Designed for and best used in private networks such as a home network
1. **Public profile**: Designed with higher security in mind for public networks, like Wi-Fi hotspots, coffee shops, airports, hotels, or stores
View detailed settings for each profile by right-clicking the top-level **Windows Defender Firewall with Advanced Security** node in the left pane and then selecting **Properties**.
Maintain the default settings in Windows Defender
Firewall whenever possible. These settings have been designed to secure your device for use in most network scenarios. One key example is the default Block behavior for Inbound connections.
Firewall whenever possible. These settings have been designed to secure your device for use in most network scenarios. One key example is the default Block behavior for Inbound connections.
![A screenshot of a cell phone Description automatically generated.](images/fw03-defaults.png)
@ -84,27 +71,20 @@ This rule-adding task can be accomplished by right-clicking either **Inbound Rul
*Figure 3: Rule Creation Wizard*
> [!NOTE]
>This article does not cover step-by-step rule
configuration. See the [Windows Firewall with Advanced Security Deployment
Guide](./windows-firewall-with-advanced-security-deployment-guide.md)
for general guidance on policy creation.
>This article does not cover step-by-step rule configuration. See the [Windows Firewall with Advanced Security Deployment Guide](./windows-firewall-with-advanced-security-deployment-guide.md) for general guidance on policy creation.
In many cases, allowing specific types of inbound traffic will be required for
applications to function in the network. Administrators should keep the following rule precedence behaviors in mind when
allowing these inbound exceptions.
In many cases, allowing specific types of inbound traffic will be required for applications to function in the network. Administrators should keep the following rule precedence behaviors in mind when allowing these inbound exceptions.
1. Explicitly defined allow rules will take precedence over the default block setting.
2. Explicit block rules will take precedence over any conflicting allow rules.
3. More specific rules will take precedence over less specific rules, except if there are explicit block rules as mentioned in 2. (For example, if the parameters of rule 1 include an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.)
1. Explicitly defined allow rules will take precedence over the default block setting.
1. Explicit block rules will take precedence over any conflicting allow rules.
1. More specific rules will take precedence over less specific rules, except if there are explicit block rules as mentioned in 2. (For example, if the parameters of rule 1 include an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.)
Because of 1 and 2, it's important that, when designing a set of policies, you make sure that there are no other explicit block rules in place that could inadvertently overlap, thus preventing the traffic flow you wish to allow.
A general security best practice when creating inbound rules is to be as specific as possible. However, when new rules must be made that use ports or IP addresses, consider using consecutive ranges or subnets instead of individual addresses or ports where possible. This approach avoids creation of multiple filters under the hood, reduces complexity, and helps to avoid performance degradation.
> [!NOTE]
> Windows Defender Firewall does not support traditional weighted, administrator-assigned rule ordering. An effective policy set with expected behaviors can be created by keeping in mind the few, consistent, and logical rule behaviors described above.
> [!NOTE]
> Windows Defender Firewall does not support traditional weighted, administrator-assigned rule ordering. An effective policy set with expected behaviors can be created by keeping in mind the few, consistent, and logical rule behaviors described above.
## Create rules for new applications before first launch
@ -123,7 +103,6 @@ In either of the scenarios above, once these rules are added they must be delete
> [!NOTE]
> The firewall's default settings are designed for security. Allowing all inbound connections by default introduces the network to various threats. Therefore, creating exceptions for inbound connections from third-party software should be determined by trusted app developers, the user, or the admin on behalf of the user.
### Known issues with automatic rule creation
When designing a set of firewall policies for your network, it's a best practice to configure allow rules for any networked applications deployed on the host. Having these rules in place before the user first launches the application will help ensure a seamless experience.
@ -132,11 +111,9 @@ The absence of these staged rules doesn't necessarily mean that in the end an ap
To determine why some applications are blocked from communicating in the network, check for the following instances:
1. A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt.
2. A user lacks sufficient privileges and is therefore not prompted to allow the application to make the appropriate policy changes.
3. Local Policy Merge is disabled, preventing the application or network service from creating local rules.
1. A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt.
1. A user lacks sufficient privileges and is therefore not prompted to allow the application to make the appropriate policy changes.
1. Local Policy Merge is disabled, preventing the application or network service from creating local rules.
Creation of application rules at runtime can also be prohibited by administrators using the Settings app or Group Policy.
@ -150,9 +127,9 @@ See also [Checklist: Creating Inbound Firewall Rules](./checklist-creating-inbou
Firewall rules can be deployed:
1. Locally using the Firewall snap-in (**WF.msc**)
2. Locally using PowerShell
3. Remotely using Group Policy if the device is a member of an Active Directory Name, System Center Configuration Manager, or Intune (using workplace join)
1. Locally using the Firewall snap-in (**WF.msc**)
1. Locally using PowerShell
1. Remotely using Group Policy if the device is a member of an Active Directory Name, System Center Configuration Manager, or Intune (using workplace join)
Rule merging settings control how rules from different policy sources can be combined. Administrators can configure different merge behaviors for Domain, Private, and Public profiles.
@ -163,8 +140,7 @@ The rule-merging settings either allow or prevent local administrators from crea
*Figure 5: Rule merging setting*
> [!TIP]
> In the firewall [configuration service provider](/windows/client-management/mdm/firewall-csp), the
equivalent setting is *AllowLocalPolicyMerge*. This setting can be found under each respective profile node, *DomainProfile*, *PrivateProfile*, and *PublicProfile*.
> In the firewall [configuration service provider](/windows/client-management/mdm/firewall-csp), the equivalent setting is *AllowLocalPolicyMerge*. This setting can be found under each respective profile node, *DomainProfile*, *PrivateProfile*, and *PublicProfile*.
If merging of local policies is disabled, centralized deployment of rules is required for any app that needs inbound connectivity.
@ -173,15 +149,12 @@ Management (MDM), or both (for hybrid or co-management environments).
[Firewall CSP](/windows/client-management/mdm/firewall-csp) and [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) also have settings that can affect rule merging.
As a best practice, it's important to list and log such apps, including the network ports used for communications. Typically, you can find what ports must be open for a given service on the app's website. For more complex or customer application deployments, a more thorough analysis may be needed using network packet capture tools.
As a best practice, it's important to list and log such apps, including the network ports used for communications. Typically, you can find what ports must be open for a given service on the app's website. For more complex or customer application deployments, a more thorough analysis may be needed using network packet capture tools.
In general, to maintain maximum security, admins should only push firewall exceptions for apps and services determined to serve legitimate purposes.
> [!NOTE]
> The use of wildcard patterns, such as *C:\*\\teams.exe* is not
supported in application rules. We currently only support rules created using the full path to the application(s).
> The use of wildcard patterns, such as *C:\*\\teams.exe* is not supported in application rules. We currently only support rules created using the full path to the application(s).
## Know how to use "shields up" mode for active attacks
@ -208,15 +181,12 @@ Once the emergency is over, uncheck the setting to restore regular network traff
What follows are a few general guidelines for configuring outbound rules.
- The default configuration of Blocked for Outbound rules can be
considered for certain highly secure environments. However, the Inbound rule configuration should never be changed in a way that Allows traffic by default.
- It's recommended to Allow Outbound by default for most deployments for the sake of simplification around app deployments, unless the enterprise prefers tight security controls over ease-of-use.
- In high security environments, an inventory of all enterprise-spanning apps must be taken and logged by the administrator or administrators. Records must include whether an app used requires network connectivity. Administrators will need to create new rules specific to each app that needs network connectivity and push those rules centrally, via group policy (GP), Mobile Device Management (MDM), or both (for hybrid or co-management environments).
- The default configuration of Blocked for Outbound rules can be considered for certain highly secure environments. However, the Inbound rule configuration should never be changed in a way that Allows traffic by default
- It's recommended to Allow Outbound by default for most deployments for the sake of simplification around app deployments, unless the enterprise prefers tight security controls over ease-of-use
- In high security environments, an inventory of all enterprise-spanning apps must be taken and logged by the administrator or administrators. Records must include whether an app used requires network connectivity. Administrators will need to create new rules specific to each app that needs network connectivity and push those rules centrally, via group policy (GP), Mobile Device Management (MDM), or both (for hybrid or co-management environments)
For tasks related to creating outbound rules, see [Checklist: Creating Outbound Firewall Rules](./checklist-creating-outbound-firewall-rules.md).
## Document your changes
When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And *never* create unnecessary holes in your firewall.
When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And *never* create unnecessary holes in your firewall.