deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-19 16:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into v-smandalika-bitlocker-basic-deployment-1Sep

Browse Source
This commit is contained in:
Siddarth Mandalika 2020-10-23 13:04:23 +05:30
commit 837e37a07f
378 changed files with 7911 additions and 6568 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
education/developers.yml
View File

@ -18,16 +18,16 @@ additionalContent:
# Card
- title: UWP apps for education
summary: Learn how to write universal apps for education.
url: https://docs.microsoft.com/en-us/windows/uwp/apps-for-education/
url: https://docs.microsoft.com/windows/uwp/apps-for-education/
# Card
- title: Take a test API
summary: Learn how web applications can use the API to provide a locked down experience for taking tests.
url: https://docs.microsoft.com/en-us/windows/uwp/apps-for-education/take-a-test-api
url: https://docs.microsoft.com/windows/uwp/apps-for-education/take-a-test-api
# Card
- title: Office Education Dev center
summary: Integrate with Office 365 across devices and services to extend Microsoft enterprise-scale compliance and security to students, teachers, and staff in your education app
url: https://dev.office.com/industry-verticals/edu
url: https://developer.microsoft.com/office/edu
# Card
- title: Data Streamer
summary: Bring new STEM experiences into the classroom with real-time data in Excel using Data Streamer. Data Streamer can send data to Excel from a sensor or application.
url: https://docs.microsoft.com/en-us/microsoft-365/education/data-streamer
url: https://docs.microsoft.com/microsoft-365/education/data-streamer

12
education/windows/windows-editions-for-education-customers.md
View File

@ -30,10 +30,10 @@ Windows 10, version 1607 introduces two editions designed for the unique needs o
Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is effectively a variant of Windows 10 Pro that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Microsoft Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
For Cortana<sup>[1](#footnote1)</sup>,
For Cortana<sup>[1](#footnote1)</sup>:
- If you're using version 1607, Cortana is removed.
- If you're using new devices with version 1703, Cortana is turned on by default.
- If you're upgrading from version 1607 to version 1703, Cortana will be enabled.
- If you're using new devices with version 1703 or later, Cortana is turned on by default.
- If you're upgrading from version 1607 to version 1703 or later, Cortana will be enabled.
You can use the **AllowCortana** policy to turn Cortana off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
@ -49,10 +49,10 @@ Customers who deploy Windows 10 Pro are able to configure the product to have si
Windows 10 Education builds on Windows 10 Enterprise and provides the enterprise-grade manageability and security desired by many schools. Windows 10 Education is effectively a variant of Windows 10 Enterprise that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Microsoft Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
For Cortana<sup>1</sup>,
For Cortana<sup>1</sup>:
- If you're using version 1607, Cortana<sup>1</sup> is removed.
- If you're using new devices with version 1703, Cortana is turned on by default.
- If you're upgrading from version 1607 to version 1703, Cortana will be enabled.
- If you're using new devices with version 1703 or later, Cortana is turned on by default.
- If you're upgrading from version 1607 to version 1703 or later, Cortana will be enabled.
You can use the **AllowCortana** policy to turn Cortana off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).

2
windows/client-management/mdm/TOC.md
View File

@ -1,5 +1,6 @@
# [Mobile device management](index.md)
## [What's new in MDM enrollment and management](new-in-windows-mdm-enrollment-management.md)
### [Change history for MDM documentation](change-history-for-mdm-documentation.md)
## [Mobile device enrollment](mobile-device-enrollment.md)
### [MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md)
#### [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md)
@ -267,6 +268,7 @@
#### [LanmanWorkstation](policy-csp-lanmanworkstation.md)
#### [Licensing](policy-csp-licensing.md)
#### [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)
#### [LocalUsersAndGroups](policy-csp-localusersandgroups.md)
#### [LockDown](policy-csp-lockdown.md)
#### [Maps](policy-csp-maps.md)
#### [Messaging](policy-csp-messaging.md)

1078
windows/client-management/mdm/change-history-for-mdm-documentation.md Normal file
View File

File diff suppressed because it is too large Load Diff

10
windows/client-management/mdm/firewall-csp.md
View File

@ -248,10 +248,10 @@ Sample syncxml to provision the firewall settings to evaluate
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="localaddressranges"></a>**FirewallRules/*FirewallRuleName*/LocalAddressRanges**
<p style="margin-left: 20px">Comma separated list of local addresses covered by the rule. The default value is &quot;<em>&quot;. Valid tokens include:</p>
<p style="margin-left: 20px">Comma separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:</p>
<ul>
<li>&quot;</em>&quot; indicates any local address. If present, this must be the only token included.</li>
<li>A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.</li>
<li>"*" indicates any local address. If present, this must be the only token included.</li>
<li>A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255.</li>
<li>A valid IPv6 address.</li>
<li>An IPv4 address range in the format of &quot;start address - end address&quot; with no spaces included.</li>
<li>An IPv6 address range in the format of &quot;start address - end address&quot; with no spaces included.</li>
@ -260,9 +260,9 @@ Sample syncxml to provision the firewall settings to evaluate
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="remoteaddressranges"></a>**FirewallRules/*FirewallRuleName*/RemoteAddressRanges**
<p style="margin-left: 20px">List of comma separated tokens specifying the remote addresses covered by the rule. The default value is &quot;<em>&quot;. Valid tokens include:</p>
<p style="margin-left: 20px">List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:</p>
<ul>
<li>&quot;</em>&quot; indicates any remote address. If present, this must be the only token included.</li>
<li>"*" indicates any remote address. If present, this must be the only token included.</li>
<li>&quot;Defaultgateway&quot;</li>
<li>&quot;DHCP&quot;</li>
<li>&quot;DNS&quot;</li>

2893
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

File diff suppressed because one or more lines are too long

9
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -4006,7 +4006,13 @@ The following diagram shows the Policy configuration service provider in tree fo
</dd>
</dl>
### LocalUsersAndGroups policies
<dl>
<dd>
<a href="./policy-csp-localusersandgroups.md#localusersandgroups-configure" id="localusersandgroups-configure">LocalUsersAndGroups/Configure</a>
</dd>
</dl>
### LockDown policies
@ -5219,6 +5225,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-update.md#update-disabledualscan" id="update-disabledualscan">Update/DisableDualScan</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-disablewufbsafeguards" id="update-disablewufbsafeguards">Update/DisableWUfBSafeguards</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-engagedrestartdeadline" id="update-engagedrestartdeadline">Update/EngagedRestartDeadline</a>
</dd>

232
windows/client-management/mdm/policy-csp-localusersandgroups.md Normal file
View File

@ -0,0 +1,232 @@
---
title: Policy CSP - LocalUsersAndGroups
description: Policy CSP - LocalUsersAndGroups
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 10/14/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - LocalUsersAndGroups
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## LocalUsersAndGroups policies
<dl>
<dd>
<a href="#localusersandgroups-configure">LocalUsersAndGroups/Configure</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="localusersandgroups-configure"></a>**LocalUsersAndGroups/Configure**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10, version 20H2. This policy setting allows IT admins to add, remove, or replace members of local groups on a managed device.
> [!NOTE]
> The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting also allows you to configure members (users or AAD groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove.
>
> Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results.
Here's an example of the policy definition XML for group configuration:
```xml
<GroupConfiguration>
<accessgroup desc = "">
<group action = ""/>
<add member = ""/>
<remove member = ""/>
</accessgroup>
</GroupConfiguration>
```
where:
- `<accessgroup desc>`: Specifies the name or SID of the local group to configure. If you specify a SID, the [LookupAccountSid](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API is used to translate the SID to a valid group name. If you specify a name, the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API is used to lookup the group and validate the name. If name/SID lookup fails, the group is skipped and the next group in the XML file is processed. If there are multiple errors, the last error is returned at the end of the policy processing.
- `<group action>`: Specifies the action to take on the local group, which can be Update and Restrict, represented by U and R:
- Update. This action must be used to keep the current group membership intact and add or remove members of the specific group.
- Restrict. This action must be used to replace current membership with the newly specified groups. This action provides the same functionality as the [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting.
- `<add member>`: Specifies the SID or name of the member to configure.
- `<remove member>`: Specifies the SID or name of the member to remove from the specified group.
> [!NOTE]
> When specifying member names of domain accounts, use fully qualified account names where possible (for example, domain_name\user_name) instead of isolated names (for example, group_name). This way, you can avoid getting ambiguous results when users or groups with the same name exist in multiple domains and locally. See [LookupAccountNameA function](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea#remarks) for more information.
See [Use custom settings for Windows 10 devices in Intune](https://docs.microsoft.com/mem/intune/configuration/custom-settings-windows-10) for information on how to create custom profiles.
> [!IMPORTANT]
> - `<add member>` and `<remove member>` can use an Azure AD SID or the user's name. For adding or removing Azure AD groups using this policy, you must use the group's SID. Azure AD group SIDs can be obtained using [Graph](https://docs.microsoft.com/graph/api/resources/group?view=graph-rest-1.0#json-representation) API for Groups. The SID is present in the `securityIdentifier` attribute.
> - When specifying a SID in the `<add member>` or `<remove member>`, member SIDs are added without attempting to resolve them. Therefore, be very careful when specifying a SID to ensure it is correct.
> - `<remove member>` is not valid for the R (Restrict) action and will be ignored if present.
> - The list in the XML is processed in the given order except for the R actions, which get processed last to ensure they win. It also means that if a group is present multiple times with different add/remove values, all of them will be processed in the order they are present.
<!--/Description-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
**Examples**
Example 1: Update action for adding and removing group members.
The following example shows how you can update a local group (**Backup Operators**)—add a domain group as a member using its name (**Contoso\ITAdmins**), add the built-in Administrators group using its [well known SID](https://docs.microsoft.com/windows/win32/secauthz/well-known-sids), add a AAD group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**).
```xml
<GroupConfiguration>
<accessgroup desc = "Backup Operators">
<group action = "U" />
<add member = "Contoso\ITAdmins"/>
<add member = "S-1-5-32-544"/>
<add member = "S-1-12-1-111111111-22222222222-3333333333-4444444444"/>
<remove member = "Guest"/>
</accessgroup>
</GroupConfiguration>
```
Example 2: Restrict action for replacing the group membership.
The following example shows how you can restrict a local group (**Backup Operators**)—replace its membership with the built-in Administrators group using its [well known SID](https://docs.microsoft.com/windows/win32/secauthz/well-known-sids) and add a local account (**Guest**).
```xml
<GroupConfiguration>
<accessgroup desc = "Backup Operators">
<group action = "R" />
<add member = "S-1-5-32-544"/>
<add member = "Guest"/>
</accessgroup>
</GroupConfiguration>
```
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
## FAQs
This section provides answers to some common questions you might have about the LocalUsersAndGroups policy CSP.
### What happens if I accidentally remove the built-in Administrator SID from the Administrators group?
Removing the built-in Administrator account from the built-in Administrators group is blocked at SAM/OS level for security reasons. Attempting to do so will result in failure with the following error:
| Error Code | Symbolic Name | Error Description | Header |
|----------|----------|----------|----------|
| 0x55b (Hex) <br> 1371 (Dec) |ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.| winerror.h |
When configuring the built-in Administrators group with the R (Restrict) action, specify the built-in Administrator account SID/Name in `<add member>` to avoid this error.
### Can I add a member that already exists?
Yes, you can add a member that is already a member of a group. This will result in no changes to the group and no error.
### Can I remove a member if it isn't a member of the group?
Yes, you can remove a member even if it isn't a member of the group. This will result in no changes to the group and no error.
### How can I add a domain group as a member to a local group?
To add a domain group as a member to a local group, specify the domain group in `<add member>` of the local group. Use fully qualified account names (for example, domain_name\group_name) instead of isolated names (for example, group_name) for the best results. See [LookupAccountNameA function](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea#remarks) for more information.
### Can I apply more than one LocalUserAndGroups policy/XML to the same device?
No, this is not allowed. Attempting to do so will result in a conflict in Intune.
### What happens if I specify a group name that doesn't exist?
Invalid group names or SIDs will be skipped. Valid parts of the policy will apply, and error will be returned at the end of the processing. This behavior aligns with the on-prem AD GPP (Group Policy Preferences) LocalUsersAndGroups policy. Similarly, invalid member names will be skipped, and error will be returned at the end to notify that not all settings were applied successfully.
### What happens if I specify R and U in the same XML?
If you specify both R and U in the same XML, the R (Restrict) action takes precedence over U (Update). Therefore, if a group appears twice in the XML, once with U and again with R, the R action wins.
### How do I check the result of a policy that is applied on the client device?
After a policy is applied on the client device, you can investigate the event log to review the result:
1. Open Event Viewer (**eventvwr.exe**).
2. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **DeviceManagement-Enterprise-
Diagnostics-Provider** > **Admin**.
3. Search for the `LocalUsersAndGroups` string to review the relevant details.
### How can I troubleshoot Name/SID lookup APIs?
To troubleshoot Name/SID lookup APIs:
1. Enable **lsp.log** on the client device by running the following commands:
```cmd
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x800 -Type dword -Force
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgTraceOptions -Value 0x1 -Type dword -Force
```
The **lsp.log** file (**C:\windows\debug\lsp.log**) will be displayed. This log file tracks the SID-Name resolution.
2. Turn the logging off by running the following command:
```cmd
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x0 -Type dword -Force
```
Footnotes:
- 9 - Available in Windows 10, version 20H2.
<!--/Policies-->

2
windows/client-management/mdm/policy-csp-mixedreality.md
View File

@ -308,7 +308,7 @@ The following list shows the supported values:
Footnotes:
- 9 - Available in the next major release of Windows 10.
- 9 - Available in Windows 10, version 20H2.
<!--/Policies-->

3
windows/client-management/mdm/policy-csp-restrictedgroups.md
View File

@ -14,6 +14,9 @@ manager: dansimp
# Policy CSP - RestrictedGroups
> [!IMPORTANT]
> Starting from Windows 10, version 20H2, it is recommended to use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy to configure members (users or AAD groups) to a Windows 10 local group. Applying both the policies to the same device is unsupported and may yield unpredictable results.
<hr/>

89
windows/client-management/mdm/policy-csp-update.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 02/10/2020
ms.date: 10/21/2020
ms.reviewer:
manager: dansimp
---
@ -96,6 +96,9 @@ manager: dansimp
<dd>
<a href="#update-disabledualscan">Update/DisableDualScan</a>
</dd>
<dd>
<a href="#update-disablewufbsafeguards">Update/DisableWUfBSafeguards</a>
</dd>
<dd>
<a href="#update-engagedrestartdeadline">Update/EngagedRestartDeadline</a>
</dd>
@ -1110,8 +1113,8 @@ ADMX Info:
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
- true - Enable
- false - Disable (Default)
- 0 - Disable (Default)
- 1 - Enable
<!--/SupportedValues-->
<!--Example-->
@ -2013,6 +2016,85 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="update-disablewufbsafeguards"></a>**Update/DisableWUfBSafeguards**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows Update for Business (WUfB) devices running Windows 10, version 1809 and above and installed with October 2020 security update. This policy setting specifies that a WUfB device should skip safeguards.
Safeguard holds prevent a device with a known compatibility issue from being offered a new OS version. The offering will proceed once a fix is issued and is verified on a held device. The aim of safeguards is to protect the device and user from a failed or poor upgrade experience.
The safeguard holds protection is provided by default to all the devices trying to update to a new Windows 10 Feature Update version via Windows Update.
IT admins can, if necessary, opt devices out of safeguard protections using this policy setting or via the “Disable safeguards for Feature Updates” Group Policy.
> [!NOTE]
> Opting out of the safeguards can put devices at risk from known performance issues. We recommend opting out only in an IT environment for validation purposes. Further, you can leverage the Windows Insider Program for Business Release Preview Channel in order to validate the upcoming Windows 10 Feature Update version without the safeguards being applied.
>
> The disable safeguards policy will revert to “Not Configured” on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsofts default protection from known issues for each new feature update.
>
> Disabling safeguards does not guarantee your device will be able to successfully update. The update may still fail on the device and will likely result in a bad experience post upgrade as you are bypassing the protection given by Microsoft pertaining to known issues.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Disable safeguards for Feature Updates*
- GP name: *DisableWUfBSafeguards*
- GP path: *Windows Components/Windows Update/Windows Update for Business*
- GP ADMX file name: *WindowsUpdate.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) - Safeguards are enabled and devices may be blocked for upgrades until the safeguard is cleared.
- 1 - Safeguards are not enabled and upgrades will be deployed without blocking on safeguards.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-engagedrestartdeadline"></a>**Update/EngagedRestartDeadline**
@ -4525,4 +4607,3 @@ Footnotes:
- 8 - Available in Windows 10, version 2004.
<!--/Policies-->

2
windows/client-management/mdm/policy-csp-windowssandbox.md
View File

@ -556,6 +556,6 @@ Footnotes:
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
- 9 - Available in Windows 10, version 2010.
- 9 - Available in Windows 10, version 20H2.
<!--/Policies-->

4
windows/deployment/TOC.yml
View File

@ -144,6 +144,8 @@
href: update/media-dynamic-update.md
- name: Migrating and acquiring optional Windows content
href: update/optional-content.md
- name: Safeguard holds
href: update/safeguard-holds.md
- name: Manage the Windows 10 update experience
items:
- name: Manage device restarts after updates
@ -237,6 +239,8 @@
items:
- name: How to troubleshoot Windows Update
href: update/windows-update-troubleshooting.md
- name: Opt out of safeguard holds
href: update/safeguard-opt-out.md
- name: Determine the source of Windows Updates
href: update/windows-update-sources.md
- name: Common Windows Update errors

4
windows/deployment/planning/windows-10-deprecated-features.md
View File

@ -26,6 +26,7 @@ The features described below are no longer being actively developed, and might b
|Feature | Details and mitigation | Announced in version |
| ----------- | --------------------- | ---- |
| Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 |
| Companion Device Framework | The [Companion Device Framework](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 |
| Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 |
| Dynamic Disks | The [Dynamic Disks](https://docs.microsoft.com/windows/win32/fileio/basic-and-dynamic-disks#dynamic-disks) feature is no longer being developed. This feature will be fully replaced by [Storage Spaces](https://docs.microsoft.com/windows-server/storage/storage-spaces/overview) in a future release.| 2004 |
@ -37,12 +38,13 @@ The features described below are no longer being actively developed, and might b
| Wi-Fi WEP and TKIP | Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which are not as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | 1903 |
| Windows To Go | Windows To Go is no longer being developed. <br><br>The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.| 1903 |
| Print 3D app | Going forward, 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.| 1903 |
|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this, and because third party partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| 1809 |
|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this, and because non-Microsoft partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| 1809 |
|OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization.| 1809 |
|Snipping Tool|The Snipping Tool is an application included in Windows 10 that is used to capture screenshots, either the full screen or a smaller, custom "snip" of the screen. In Windows 10, version 1809, we're [introducing a new universal app, Snip & Sketch](https://blogs.windows.com/windowsexperience/2018/05/03/announcing-windows-10-insider-preview-build-17661/#8xbvP8vMO0lF20AM.97), that provides the same screen snipping abilities, as well as additional features. You can launch Snip & Sketch directly and start a snip from there, or just press WIN + Shift + S. Snip & Sketch can also be launched from the “Screen snip” button in the Action Center. We're no longer developing the Snipping Tool as a separate app but are instead consolidating its functionality into Snip & Sketch.| 1809 |
|[Software Restriction Policies](https://docs.microsoft.com/windows-server/identity/software-restriction-policies/software-restriction-policies) in Group Policy|Instead of using the Software Restriction Policies through Group Policy, you can use [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/applocker/applocker-overview) or [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control) to control which apps users can access and what code can run in the kernel.| 1803 |
|[Offline symbol packages](https://docs.microsoft.com/windows-hardware/drivers/debugger/debugger-download-symbols) (Debug symbol MSIs)|We're no longer making the symbol packages available as a downloadable MSI. Instead, the [Microsoft Symbol Server is moving to be an Azure-based symbol store](https://blogs.msdn.microsoft.com/windbg/2017/10/18/update-on-microsofts-symbol-server/). If you need the Windows symbols, connect to the Microsoft Symbol Server to cache your symbols locally or use a manifest file with SymChk.exe on a computer with internet access.| 1803 |
|Windows Help Viewer (WinHlp32.exe)|All Windows help information is [available online](https://support.microsoft.com/products/windows?os=windows-10). The Windows Help Viewer is no longer supported in Windows 10. If for any reason you see an error message about "help not supported," possibly when using a non-Microsoft application, read [this support article](https://support.microsoft.com/help/917607/error-opening-help-in-windows-based-programs-feature-not-included-or-h) for additional information and any next steps.| 1803 |
|MBAE service metadata|The MBAE app experience is replaced by an MO UWP app. For more information, see [Developer guide for creating service metadata](https://docs.microsoft.com/windows-hardware/drivers/mobilebroadband/developer-guide-for-creating-service-metadata) | 1803 |
|Contacts feature in File Explorer|We're no longer developing the Contacts feature or the corresponding [Windows Contacts API](https://msdn.microsoft.com/library/ff800913.aspx). Instead, you can use the People app in Windows 10 to maintain your contacts.| 1803 |
|Phone Companion|Use the **Phone** page in the Settings app. In Windows 10, version 1709, we added the new **Phone** page to help you sync your mobile phone with your PC. It includes all the Phone Companion features.| 1803 |
|IPv4/6 Transition Technologies (6to4, ISATAP, Teredo, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), Teredo has been disabled since Windows 10, version 1803, and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.| 1803 |

1
windows/deployment/planning/windows-10-removed-features.md
View File

@ -27,6 +27,7 @@ The following features and functionalities have been removed from the installed
|Feature | Details and mitigation | Removed in version |
| ----------- | --------------------- | ------ |
|MBAE service metadata|The MBAE app experience is replaced by an MO UWP app. Metadata for the MBAE service is removed. | 20H2 |
| Connect app | The **Connect** app for wireless projection using Miracast is no longer installed by default, but is available as an optional feature. To install the app, click on **Settings** > **Apps** > **Optional features** > **Add a feature** and then install the **Wireless Display** app. | 2004 |
| Rinna and Japanese Address suggestion | The Rinna and Japanese Address suggestion service for Microsoft Japanese Input Method Editor (IME) ended on August 13th, 2020. For more information, see [Rinna and Japanese Address suggestion will no longer be offered](https://support.microsoft.com/help/4576767/windows-10-rinna-and-japanese-address-suggestion) | 2004 |
| Cortana | Cortana has been updated and enhanced in the Windows 10 May 2020 Update. With [these changes](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-2004#cortana), some previously available consumer skills such as music, connected home, and other non-Microsoft skills are no longer available. | 2004 |

34
windows/deployment/update/create-deployment-plan.md
View File

@ -6,20 +6,20 @@ ms.mktglfcycl: manage
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
ms.reviewer:
ms.collection: m365initiative-coredeploy
manager: laurawi
ms.topic: article
---
# Create a deployment plan
A service management mindset means that the devices in your organization fall into a continuum, with the software update process being constantly planned, deployed, monitored, and optimized. And once this process is used for feature updates, quality updates become a lightweight procedure that is simple and fast to execute, ultimately increasing velocity.
A "service management" mindset means that the devices in your organization fall into a continuum, with the software update process being constantly planned, deployed, monitored, and optimized. And once you use this process for feature updates, quality updates become a lightweight procedure that is simple and fast to execute, ultimately increasing velocity.
When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices, and weve found that ring-based deployment is a methodology that works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades--they are simply a method by which to separate devices into a deployment timeline.
When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices. Weve found that a ring-based deployment works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method to separate devices into a deployment timeline.
At the highest level, each “ring” comprise a group of users or devices that receive a particular update concurrently. For each ring, IT administrators set criteria to control deferral time or adoption (completion) that should be met before deployment to the next broader ring of devices or users can occur.
At the highest level, each “ring” comprises a group of users or devices that receive a particular update concurrently. For each ring, IT administrators set criteria to control deferral time or adoption (completion) that should be met before deployment to the next broader ring of devices or users can occur.
A common ring structure comprises three deployment groups:
A common ring structure uses three deployment groups:
- Preview: Planning and development
- Limited: Pilot and validation
@ -34,22 +34,20 @@ A common ring structure comprises three deployment groups:
## How many rings should I have?
There are no definite rules for exactly how many rings to have for your deployments. As mentioned previously, you might want to ensure zero downtime for mission-critical devices by putting them in their own ring. If you have a large
organization, you might want to consider assigning devices to rings based on geographic location or the size of rings so that helpdesk resources are more available. Consider the needs of your business and introduce rings that make sense for your organization.
There are no definite rules for exactly how many rings to have for your deployments. As mentioned previously, you might want to ensure zero downtime for mission-critical devices by putting them in their own ring. If you have a large organization, you might want to consider assigning devices to rings based on geographic location or the size of rings so that helpdesk resources are more available. Consider the needs of your business and introduce rings that make sense for your organization.
## Advancing between rings
There are basically two strategies for moving deployments from one ring to the next. One is service based, the other project based.
There are basically two strategies for moving deployments from one ring to the next. One is service-based, the other project based.
- "Red button" (service based): Assumes that content is good until proven bad. Content flows until an issue is discovered, at which point the IT administrator presses the “red button” to stop further distribution.
- Green button (project based): Assumes that content is bad until proven good. Once all validation has passed, the IT administrator presses the “green button” to push the content to the next ring.
When it comes to deployments, having manual steps in the process usually impedes update velocity, so a "red button" strategy is better when that is your goal.
When it comes to deployments, having manual steps in the process usually impedes update velocity. A "red button" strategy is better when that is your goal.
## Preview ring
The purpose of the Preview ring is to evaluate the new features of the update. This is specifically *not* for broad parts of the organization but is limited to the people who are responsible for knowing what is coming next,
generally IT administrators. Ultimately, this is the time the design and planning work happens so that when the public update is actually shipped, you can have greater confidence in the update.
The purpose of the Preview ring is to evaluate the new features of the update. It's *not* for broad parts of the organization but is limited to the people who are responsible for knowing what is coming next, generally IT administrators. Ultimately, this phase is the time the design and planning work happens so that when the public update is shipped, you can have greater confidence in the update.
> [!NOTE]
> Being part of the [Windows Insider Program](https://insider.windows.com/for-business/) gives you early access to Windows releases so that you can use Insider Preview builds in your Preview ring to validate your apps and infrastructure, preparing you for public Windows releases.
@ -57,14 +55,14 @@ generally IT administrators. Ultimately, this is the time the design and plannin
### Who goes in the Preview ring?
The Preview ring users are the most tech savvy and resilient people, who will not lose productivity if something goes wrong. In general, these are IT pros, and perhaps a few people in the business organization.
The Preview ring users are the most tech savvy and resilient people, who will not lose productivity if something goes wrong. In general, these users are IT pros, and perhaps a few people in the business organization.
During your plan and prepare phases, these are the activities you should focus on:
During your plan and prepare phases, you should focus on the following activities:
- Work with Windows Insider Preview builds.
- Identify the features and functionality your organization can or wants to use.
- Establish who will use the features and how they will benefit.
- Understand why you are putting the update out.
- Understand why you are putting out the update.
- Plan for usage feedback.
Remember, you are working with pre-release software in the Preview ring and you will be evaluating features and testing the update for a targeted release.
@ -76,7 +74,7 @@ Remember, you are working with pre-release software in the Preview ring and you
## Limited ring
The purpose of the Limited ring is to validate the update on representative devices across the network. During this period, data, and feedback is generated to enable the decision to move forward to broader deployment. Desktop
The purpose of the Limited ring is to validate the update on representative devices across the network. During this period, data, and feedback are generated to enable the decision to move forward to broader deployment. Desktop
Analytics can help with defining a good Limited ring of representative devices and assist in monitoring the deployment.
### Who goes in the Limited ring?
@ -84,7 +82,7 @@ Analytics can help with defining a good Limited ring of representative devices a
The most important part of this phase is finding a representative sample of devices and applications across your network. If possible, all hardware and all applications should be represented, and it's important that the people selected for this ring are using their devices regularly in order to generate the data you will need to make a decision for broader deployment across your organization. The IT department, lab devices, and users with the most cutting-edge hardware usually dont have the applications or device drivers that are truly a representative sample of your network.
During your pilot and validate phases, these are the activities you should focus on:
During your pilot and validate phases, you should focus on the following activities:
- Deploy new innovations.
- Assess and act if issues are encountered.
@ -104,7 +102,7 @@ In most businesses, the Broad ring includes the rest of your organization. Becau
> In some instances, you might hold back on mission critical devices (such as medical devices) until deployment in the Broad ring is complete. Get best practices and recommendations for deploying Windows 10 feature
> updates to mission critical devices.
During the broad deployment phase, these are the activities you should focus on:
During the broad deployment phase, you should focus on the following activities:
- Deploy to all devices in the organization.
- Work through any final unusual issues that were not detected in your Limited ring.
@ -112,7 +110,7 @@ During the broad deployment phase, these are the activities you should focus on:
## Ring deployment planning
Previously, we have provided methods for analyzing your deployments, but these have generally been standalone tools to assess, manage and execute deployments. In other words, you would generate an analysis, make a deployment strategy, and then move to your console for implementation, repeating these steps for each deployment. We have combined many of these tasks, and more, into a single interface with Desktop Analytics.
Previously, we have provided methods for analyzing your deployments, but these have been standalone tools to assess, manage and execute deployments. In other words, you would generate an analysis, make a deployment strategy, and then move to your console for implementation, repeating these steps for each deployment. We have combined many of these tasks, and more, into a single interface with Desktop Analytics.
[Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview) is a cloud-based service and a key tool in [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/configmgr/core/understand/microsoft-endpoint-manager-faq). Using artificial intelligence and machine learning, Desktop Analytics is a powerful tool to give you insights and intelligence to

17
windows/deployment/update/eval-infra-tools.md
View File

@ -1,8 +1,7 @@
---
title: Evaluate infrastructure and tools
ms.reviewer:
manager: laurawi
description:
description: Steps to make sure your infrastructure is ready to deploy updates
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
@ -11,18 +10,18 @@ author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
ms.topic: article
ms.collection: M365-modern-desktop
ms.collection: m365initiative-coredeploy
---
# Evaluate infrastructure and tools
Before you deploy an update, it's best to assess your deployment infrastucture (that is, tools such as Configuration Manager, Microsoft Intune, or similar) and current configurations (such as security baselines, administrative templates, and policies that affect updates). Then, set some criteria to define your operational readiness.
Before you deploy an update, it's best to assess your deployment infrastructure (that is, tools such as Configuration Manager, Microsoft Intune, or similar) and current configurations (such as security baselines, administrative templates, and policies that affect updates). Then, set some criteria to define your operational readiness.
## Infrastructure
Do your deployment tools need updates?
- If you use Configuration Manager, is it on the Current Branch with the latest release installed. This ensures that it supports the next Windows 10 feature update. Configuration Manager releases are supported for 18 months.
- If you use Configuration Manager, is it on the Current Branch with the latest release installed. Being on this branch ensures that it supports the next Windows 10 feature update. Configuration Manager releases are supported for 18 months.
- Using a cloud-based management tool like Microsoft Intune reduces support challenges, since no related products need to be updated.
- If you use a non-Microsoft tool, check with its product support to make sure you're using the current version and that it supports the next Windows 10 feature update.
@ -30,11 +29,11 @@ Rely on your experiences and data from previous deployments to help you judge ho
## Device settings
Make sure your security basline, administrative templates, and policies have the right settings to support your devices once the new Windows 10 update is installed.
Make sure your security baseline, administrative templates, and policies have the right settings to support your devices once the new Windows 10 update is installed.
### Security baseline
Keep security baslines current to help ensure that your environment is secure and that new security feature in the coming Windows 10 update are set properly.
Keep security baselines current to help ensure that your environment is secure and that new security feature in the coming Windows 10 update are set properly.
- **Microsoft security baselines**: You should implement security baselines from Microsoft. They are included in the [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319), along with tools for managing them.
- **Industry- or region-specific baselines**: Your specific industry or region might have particular baselines that you must follow per regulations. Ensure that any new baselines support the version of Windows 10 you are about to deploy.
@ -49,14 +48,14 @@ There are a number of Windows policies (set by Group Policy, Intune, or other me
## Define operational readiness criteria
When youve deployed an update, youll need to make sure the update isnt introducing new operational issues. And youll also ensure that if incidents arise, the needed documentation and processes are available. To achieve this, work with your operations and support team to define acceptable trends and what documents or processes require updating:
When youve deployed an update, youll need to make sure the update isnt introducing new operational issues. And youll also ensure that if incidents arise, the needed documentation and processes are available. Work with your operations and support team to define acceptable trends and what documents or processes require updating:
- **Call trend**: Define what percentage increase in calls relating to Windows 10 feature updates are acceptable or can be supported.
- **Incident trend**: Define what percentage of increase in calls asking for support relating to Windows 10 feature updates are acceptable or can be supported.
- **Support documentation**: Review supporting documentation that requires an update to support new infrastructure tooling or configuration as part of the Windows 10 feature update.
- **Process changes:** Define and update any processes that will change as a result of the Windows 10 feature update.
Your operations and support staff can help you determine if the appropriate information is being tracked at the moment. If it isn't, work out how to get get this information so you can gain the right insight.
Your operations and support staff can help you determine if the appropriate information is being tracked at the moment. If it isn't, work out how to get this information so you can gain the right insight.
## Tasks

BIN
windows/deployment/update/images/safeguard-hold-notification.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 36 KiB

144
windows/deployment/update/media-dynamic-update.md
View File

@ -18,7 +18,7 @@ ms.topic: article
**Applies to**: Windows 10
This topic explains how to acquire and apply Dynamic Update packages to existing Windows 10 images <em>prior to deployment</em> and includes Windows PowerShell scripts you can use to automate this process.
This topic explains how to acquire and apply Dynamic Update packages to existing Windows 10 images *prior to deployment* and includes Windows PowerShell scripts you can use to automate this process.
Volume-licensed media is available for each release of Windows 10 in the Volume Licensing Service Center (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. You can use Dynamic Update to ensure that Windows 10 devices have the latest feature update packages as part of an in-place upgrade while preserving language pack and Features on Demand (FODs) that might have been previously installed. Dynamic Update also eliminates the need to install a separate quality update as part of the in-place upgrade process.
@ -42,8 +42,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
![Table with columns labeled Title, Products, Classification, Last Updated, Version, and Size and four rows listing various dynamic updates and associated KB articles](images/update-catalog.png)
The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in <em>bold</em> the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results.
The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in **bold** the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results.
|To find this Dynamic Update packages, search for or check the results here--> |Title |Product |Description (select the **Title** link to see **Details**) |
|---------|---------|---------|---------|
@ -94,8 +93,7 @@ Optional Components, along with the .NET feature, can be installed offline, howe
## Windows PowerShell scripts to apply Dynamic Updates to an existing image
These examples are for illustration only, and therefore lack error handling. The script assumes that the following packages is stored locally in this folder structure:
These examples are for illustration only, and therefore lack error handling. The script assumes that the following packages are stored locally in this folder structure:
|Folder |Description |
|---------|---------|
@ -108,49 +106,51 @@ These examples are for illustration only, and therefore lack error handling. The
The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there is a script error and it's necessary to start over from a known state. Also, it will provide a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they are not read-only.
```powershell
function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) }
#Requires -RunAsAdministrator
Write-Host "$(Get-TS): Starting media refresh"
function Get-TS { return "{0:HH:mm:ss}" -f [DateTime]::Now }
# Declare media for FOD and LPs
$FOD_ISO_PATH = "C:\mediaRefresh\packages\FOD-PACKAGES_OEM_PT1_amd64fre_MULTI.iso"
$LP_ISO_PATH = "C:\mediaRefresh\packages\CLIENTLANGPACKDVD_OEM_MULTI.iso"
Write-Output "$(Get-TS): Starting media refresh"
# Declare language for showcasing adding optional localized components
$LANG = "ja-jp"
$LANG = "ja-jp"
$LANG_FONT_CAPABILITY = "jpan"
# Declare media for FOD and LPs
$FOD_ISO_PATH = "C:\mediaRefresh\packages\FOD-PACKAGES_OEM_PT1_amd64fre_MULTI.iso"
$LP_ISO_PATH = "C:\mediaRefresh\packages\CLIENTLANGPACKDVD_OEM_MULTI.iso"
# Declare Dynamic Update packages
$LCU_PATH = "C:\mediaRefresh\packages\LCU.msu"
$SSU_PATH = "C:\mediaRefresh\packages\SSU_DU.msu"
$SETUP_DU_PATH = "C:\mediaRefresh\packages\Setup_DU.cab"
$LCU_PATH = "C:\mediaRefresh\packages\LCU.msu"
$SSU_PATH = "C:\mediaRefresh\packages\SSU_DU.msu"
$SETUP_DU_PATH = "C:\mediaRefresh\packages\Setup_DU.cab"
$SAFE_OS_DU_PATH = "C:\mediaRefresh\packages\SafeOS_DU.cab"
$DOTNET_CU_PATH = "C:\mediaRefresh\packages\DotNet_CU.msu"
$DOTNET_CU_PATH = "C:\mediaRefresh\packages\DotNet_CU.msu"
# Declare folders for mounted images and temp files
$WORKING_PATH = "C:\mediaRefresh\temp"
$MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia"
$MEDIA_NEW_PATH = "C:\mediaRefresh\newMedia"
$MAIN_OS_MOUNT = $WORKING_PATH + "\MainOSMount"
$WINRE_MOUNT = $WORKING_PATH + "\WinREMount"
$WINPE_MOUNT = $WORKING_PATH + "\WinPEMount"
$MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia"
$MEDIA_NEW_PATH = "C:\mediaRefresh\newMedia"
$WORKING_PATH = "C:\mediaRefresh\temp"
$MAIN_OS_MOUNT = "C:\mediaRefresh\temp\MainOSMount"
$WINRE_MOUNT = "C:\mediaRefresh\temp\WinREMount"
$WINPE_MOUNT = "C:\mediaRefresh\temp\WinPEMount"
# Mount the language pack ISO
Write-Host "$(Get-TS): Mounting LP ISO"
Write-Output "$(Get-TS): Mounting LP ISO"
$LP_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
# Declare language related cabs
$WINPE_OC_PATH = Join-Path $LP_ISO_DRIVE_LETTER":" -ChildPath "Windows Preinstallation Environment" | Join-Path -ChildPath "x64" | Join-Path -ChildPath "WinPE_OCs"
$WINPE_OC_LANG_PATH = Join-Path $WINPE_OC_PATH $LANG
$WINPE_OC_LANG_CABS = Get-ChildItem $WINPE_OC_LANG_PATH -name
$WINPE_OC_LP_PATH = Join-Path $WINPE_OC_LANG_PATH "lp.cab"
$WINPE_FONT_SUPPORT_PATH = Join-Path $WINPE_OC_PATH "WinPE-FontSupport-$LANG.cab"
$WINPE_SPEECH_TTS_PATH = Join-Path $WINPE_OC_PATH "WinPE-Speech-TTS.cab"
$WINPE_SPEECH_TTS_LANG_PATH = Join-Path $WINPE_OC_PATH "WinPE-Speech-TTS-$LANG.cab"
$OS_LP_PATH = $LP_ISO_DRIVE_LETTER + ":\x64\langpacks\" + "Microsoft-Windows-Client-Language-Pack_x64_" + $LANG + ".cab"
$WINPE_OC_PATH = "$LP_ISO_DRIVE_LETTER`:\Windows Preinstallation Environment\x64\WinPE_OCs"
$WINPE_OC_LANG_PATH = "$WINPE_OC_PATH\$LANG"
$WINPE_OC_LANG_CABS = Get-ChildItem $WINPE_OC_LANG_PATH -Name
$WINPE_OC_LP_PATH = "$WINPE_OC_LANG_PATH\lp.cab"
$WINPE_FONT_SUPPORT_PATH = "$WINPE_OC_PATH\WinPE-FontSupport-$LANG.cab"
$WINPE_SPEECH_TTS_PATH = "$WINPE_OC_PATH\WinPE-Speech-TTS.cab"
$WINPE_SPEECH_TTS_LANG_PATH = "$WINPE_OC_PATH\WinPE-Speech-TTS-$LANG.cab"
$OS_LP_PATH = "$LP_ISO_DRIVE_LETTER`:\x64\langpacks\Microsoft-Windows-Client-Language-Pack_x64_$LANG.cab"
# Mount the Features on Demand ISO
Write-Host "$(Get-TS): Mounting FOD ISO"
Write-Output "$(Get-TS): Mounting FOD ISO"
$FOD_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\"
@ -161,10 +161,11 @@ New-Item -ItemType directory -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
New-Item -ItemType directory -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
# Keep the original media, make a copy of it for the new, updated media.
Write-Host "$(Get-TS): Copying original media to new media path"
Write-Output "$(Get-TS): Copying original media to new media path"
Copy-Item -Path $MEDIA_OLD_PATH"\*" -Destination $MEDIA_NEW_PATH -Force -Recurse -ErrorAction stop | Out-Null
Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContainer -and $_.IsReadOnly } | ForEach-Object { $_.IsReadOnly = $false }
```
### Update WinRE
The script assumes that only a single edition is being updated, indicated by Index = 1 (Windows 10 Education Edition). Then the script mounts the image, saves Winre.wim to the working folder, and mounts it. It then applies servicing stack Dynamic Update, since its components are used for updating other components. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package.
@ -176,25 +177,25 @@ It finishes by cleaning and exporting the image to reduce the image size.
```powershell
# Mount the main operating system, used throughout the script
Write-Host "$(Get-TS): Mounting main OS"
Write-Output "$(Get-TS): Mounting main OS"
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
#
# update Windows Recovery Environment (WinRE)
#
Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destination $WORKING_PATH"\winre.wim" -Force -Recurse -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Mounting WinRE"
Write-Output "$(Get-TS): Mounting WinRE"
Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
# Add servicing stack update
Write-Host "$(Get-TS): Adding package $SSU_PATH"
Write-Output "$(Get-TS): Adding package $SSU_PATH"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
#
# Optional: Add the language to recovery environment
#
# Install lp.cab cab
Write-Host "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
# Install language cabs for each optional package installed
@ -210,7 +211,7 @@ Foreach ($PACKAGE in $WINRE_INSTALLED_OC) {
$OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
$OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
Write-Host "$(Get-TS): Adding package $OC_CAB_PATH"
Write-Output "$(Get-TS): Adding package $OC_CAB_PATH"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
}
}
@ -219,7 +220,7 @@ Foreach ($PACKAGE in $WINRE_INSTALLED_OC) {
# Add font support for the new language
if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
Write-Host "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH"
Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
}
@ -227,30 +228,31 @@ if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null
}
}
# Add Safe OS
Write-Host "$(Get-TS): Adding package $SAFE_OS_DU_PATH"
Write-Output "$(Get-TS): Adding package $SAFE_OS_DU_PATH"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SAFE_OS_DU_PATH -ErrorAction stop | Out-Null
# Perform image cleanup
Write-Host "$(Get-TS): Performing image cleanup on WinRE"
Write-Output "$(Get-TS): Performing image cleanup on WinRE"
DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
# Dismount
Dismount-WindowsImage -Path $WINRE_MOUNT -Save -ErrorAction stop | Out-Null
# Export
Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\winre2.wim"
Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\winre2.wim"
Export-WindowsImage -SourceImagePath $WORKING_PATH"\winre.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\winre2.wim" -ErrorAction stop | Out-Null
Move-Item -Path $WORKING_PATH"\winre2.wim" -Destination $WORKING_PATH"\winre.wim" -Force -ErrorAction stop | Out-Null
```
### Update WinPE
This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, add font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. Finally, it cleans and exports Boot.wim, and copies it back to the new media.
@ -266,15 +268,15 @@ $WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim"
Foreach ($IMAGE in $WINPE_IMAGES) {
# update WinPE
Write-Host "$(Get-TS): Mounting WinPE"
Write-Output "$(Get-TS): Mounting WinPE"
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
# Add SSU
Write-Host "$(Get-TS): Adding package $SSU_PATH"
Write-Output "$(Get-TS): Adding package $SSU_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
# Install lp.cab cab
Write-Host "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
# Install language cabs for each optional package installed
@ -291,7 +293,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
$OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
$OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
Write-Host "$(Get-TS): Adding package $OC_CAB_PATH"
Write-Output "$(Get-TS): Adding package $OC_CAB_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
}
}
@ -300,7 +302,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
# Add font support for the new language
if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
Write-Host "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH"
Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
}
@ -308,39 +310,40 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null
}
}
# Generates a new Lang.ini file which is used to define the language packs inside the image
if ( (Test-Path -Path $WINPE_MOUNT"\sources\lang.ini") ) {
Write-Host "$(Get-TS): Updating lang.ini"
Write-Output "$(Get-TS): Updating lang.ini"
DISM /image:$WINPE_MOUNT /Gen-LangINI /distribution:$WINPE_MOUNT | Out-Null
}
# Add latest cumulative update
Write-Host "$(Get-TS): Adding package $LCU_PATH"
Write-Output "$(Get-TS): Adding package $LCU_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
# Perform image cleanup
Write-Host "$(Get-TS): Performing image cleanup on WinPE"
Write-Output "$(Get-TS): Performing image cleanup on WinPE"
DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
# Dismount
Dismount-WindowsImage -Path $WINPE_MOUNT -Save -ErrorAction stop | Out-Null
#Export WinPE
Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\boot2.wim"
Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\boot2.wim"
Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\boot2.wim" -ErrorAction stop | Out-Null
}
Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\boot.wim" -Force -ErrorAction stop | Out-Null
```
### Update the main operating system
For this next phase, there is no need to mount the main operating system, since it was already mounted in the previous scripts. This script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it leverages `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod).
@ -355,36 +358,36 @@ You can install Optional Components, along with the .NET feature, offline, but t
#
# Add servicing stack update
Write-Host "$(Get-TS): Adding package $SSU_PATH"
Write-Output "$(Get-TS): Adding package $SSU_PATH"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
# Optional: Add language to main OS
Write-Host "$(Get-TS): Adding package $OS_LP_PATH"
Write-Output "$(Get-TS): Adding package $OS_LP_PATH"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $OS_LP_PATH -ErrorAction stop | Out-Null
# Optional: Add a Features on Demand to the image
Write-Host "$(Get-TS): Adding language FOD: Language.Fonts.Jpan~~~und-JPAN~0.0.1.0"
Write-Output "$(Get-TS): Adding language FOD: Language.Fonts.Jpan~~~und-JPAN~0.0.1.0"
Add-WindowsCapability -Name "Language.Fonts.$LANG_FONT_CAPABILITY~~~und-$LANG_FONT_CAPABILITY~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Adding language FOD: Language.Basic~~~$LANG~0.0.1.0"
Write-Output "$(Get-TS): Adding language FOD: Language.Basic~~~$LANG~0.0.1.0"
Add-WindowsCapability -Name "Language.Basic~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Adding language FOD: Language.OCR~~~$LANG~0.0.1.0"
Write-Output "$(Get-TS): Adding language FOD: Language.OCR~~~$LANG~0.0.1.0"
Add-WindowsCapability -Name "Language.OCR~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Adding language FOD: Language.Handwriting~~~$LANG~0.0.1.0"
Write-Output "$(Get-TS): Adding language FOD: Language.Handwriting~~~$LANG~0.0.1.0"
Add-WindowsCapability -Name "Language.Handwriting~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Adding language FOD: Language.TextToSpeech~~~$LANG~0.0.1.0"
Write-Output "$(Get-TS): Adding language FOD: Language.TextToSpeech~~~$LANG~0.0.1.0"
Add-WindowsCapability -Name "Language.TextToSpeech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Adding language FOD:Language.Speech~~~$LANG~0.0.1.0"
Write-Output "$(Get-TS): Adding language FOD:Language.Speech~~~$LANG~0.0.1.0"
Add-WindowsCapability -Name "Language.Speech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
# Note: If I wanted to enable additional Features on Demand, I'd add these here.
# Add latest cumulative update
Write-Host "$(Get-TS): Adding package $LCU_PATH"
Write-Output "$(Get-TS): Adding package $LCU_PATH"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
# Copy our updated recovery image from earlier into the main OS
@ -393,7 +396,7 @@ Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop
Copy-Item -Path $WORKING_PATH"\winre.wim" -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Force -Recurse -ErrorAction stop | Out-Null
# Perform image cleanup
Write-Host "$(Get-TS): Performing image cleanup on main OS"
Write-Output "$(Get-TS): Performing image cleanup on main OS"
DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
#
@ -402,18 +405,18 @@ DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
# the image to be booted, and thus if we tried to cleanup after installation, it would fail.
#
Write-Host "$(Get-TS): Adding NetFX3~~~~"
Write-Output "$(Get-TS): Adding NetFX3~~~~"
Add-WindowsCapability -Name "NetFX3~~~~" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
# Add .NET Cumulative Update
Write-Host "$(Get-TS): Adding package $DOTNET_CU_PATH"
Write-Output "$(Get-TS): Adding package $DOTNET_CU_PATH"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $DOTNET_CU_PATH -ErrorAction stop | Out-Null
# Dismount
Dismount-WindowsImage -Path $MAIN_OS_MOUNT -Save -ErrorAction stop | Out-Null
# Export
Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim"
Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim"
Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\install.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\install2.wim" -ErrorAction stop | Out-Null
Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sources\install.wim" -Force -ErrorAction stop | Out-Null
```
@ -428,9 +431,10 @@ This part of the script updates the Setup files. It simply copies the individual
#
# Add Setup DU by copy the files from the package into the newMedia
Write-Host "$(Get-TS): Adding package $SETUP_DU_PATH"
Write-Output "$(Get-TS): Adding package $SETUP_DU_PATH"
cmd.exe /c $env:SystemRoot\System32\expand.exe $SETUP_DU_PATH -F:* $MEDIA_NEW_PATH"\sources" | Out-Null
```
### Finish up
As a last step, the script removes the working folder of temporary files, and unmounts our language pack and Features on Demand ISOs.
@ -444,9 +448,9 @@ As a last step, the script removes the working folder of temporary files, and un
Remove-Item -Path $WORKING_PATH -Recurse -Force -ErrorAction stop | Out-Null
# Dismount ISO images
Write-Host "$(Get-TS): Dismounting ISO images"
Write-Output "$(Get-TS): Dismounting ISO images"
Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Out-Null
Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Media refresh completed!"
Write-Output "$(Get-TS): Media refresh completed!"
```

15
windows/deployment/update/plan-define-readiness.md
View File

@ -1,6 +1,5 @@
---
title: Define readiness criteria
ms.reviewer:
manager: laurawi
description: Identify important roles and figure out how to classify apps
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
@ -11,14 +10,14 @@ author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
ms.topic: article
ms.collection: M365-modern-desktop
ms.collection: m365initiative-coredeploy
---
# Define readiness criteria
## Figure out roles and personnel
Planning and managing a deployment involves a variety of distinct activies and roles best suited to each. As you plan, it's worth figuring out which roles you'll need to carry out the deployment and who should fill them. Different roles are active at various phases of a deployment. Depending on the size and complexity of your organization, some of the roles could be filled by the same person. However, it's best to have an established *process manager*, who will oversee all of the tasks for the deployment.
Planning and managing a deployment involves a variety of distinct activities and roles best suited to each. As you plan, it's worth figuring out which roles you'll need to carry out the deployment and who should fill them. Different roles are active at various phases of a deployment. Depending on the size and complexity of your organization, some of the roles could be filled by the same person. However, it's best to have an established *process manager*, who will oversee all of the tasks for the deployment.
### Process manager
@ -39,7 +38,7 @@ This table sketches out one view of the other roles, with their responsibilities
|Role |Responsibilities |Skills |Active phases |
|---------|---------|---------|---------|
|Process manager | Manages the process end to end; ensures inputs and outputs are captures; ensures that activities progress | IT service management | Plan, prepare, pilot deployment, broad deployment |
|Process manager | Manages the process end to end; ensures inputs and outputs are captures; ensures that activities progress | IT Service Management | Plan, prepare, pilot deployment, broad deployment |
|Application owner | Define application test plan; assign user acceptance testers; certify the application | Knowledge of critical and important applications | Plan, prepare, pilot deployment |
|Application developer | Ensure apps are developed to stay compatible with current Windows versions | Application development; application remediation | Plan, prepare |
|End-user computing | Typically a group including infrastructure engineers or deployment engineers who ensure upgrade tools are compatible with Windows | Bare-metal deployment; infrastructure management; application delivery; update management | Plan, prepare, pilot deployment, broad deployment |
@ -54,7 +53,7 @@ This table sketches out one view of the other roles, with their responsibilities
## Set criteria for rating apps
Some apps in your environment are fundamental to your core business activities. Other apps help workers perform their roles, but arent critical to your business operations. Before you start inventorying and assessing the apps in your environment, you should establish some criteria for categorizing your apps, and then determine a priority for each. This will help you understand how best to deploy updates and how to resolve any issues that could arise.
Some apps in your environment are fundamental to your core business activities. Other apps help workers perform their roles, but arent critical to your business operations. Before you start inventorying and assessing the apps in your environment, you should establish some criteria for categorizing your apps, and then determine a priority for each. This process will help you understand how best to deploy updates and how to resolve any issues that could arise.
In the Prepare phase, you'll apply the criteria you define now to every app in your organization.
@ -67,9 +66,9 @@ Here's a suggested classification scheme:
|Important | Applications that individual staff members need to support their productivity. Downtime here would affect individual users, but would only have a minimal impact on the business. |
|Not important | There is no impact on the business if these apps are not available for a while. |
Once you have classified your applications, you should agree what each classification means to the organization in terms of priority and severity. This will help ensure that you can triage problems with the right level of urgency. You should assign each app a time-based priority.
Once you have classified your applications, you should agree what each classification means to the organization in terms of priority and severity. This activity will help ensure that you can triage problems with the right level of urgency. You should assign each app a time-based priority.
Here's an example priority rating system; of course the specifics could vary for your organization:
Here's an example priority rating system; the specifics could vary for your organization:
|Priority |Definition |
@ -101,7 +100,7 @@ Using the suggested scheme, a financial corporation might classify their apps li
|Credit processing app | Critical |
|Frontline customer service app | Critical |
|PDF viewer | Important |
|Image processing app | Not important |
|Image-processing app | Not important |
Further, they might combine this classification with severity and priority rankings like this:

16
windows/deployment/update/plan-define-strategy.md
View File

@ -7,18 +7,18 @@ ms.mktglfcycl: manage
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
ms.reviewer:
manager: laurawi
ms.topic: article
ms.collection: m365initiative-coredeploy
---
# Define update strategy with a calendar
Traditionally, organizations treated the deployment of operating system updates (especially feature updates) as a discrete project that had a beginning, a middle, and an end. A release was "built" (usually in the form of an image) and then distributed to users and their devices.
Today, more organizations are treating deployment as a continual process of updates which roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. Microsoft has been evolving its Windows 10 release cycles, update mechanisms, and relevant tools to support this model. Feature updates are released twice per year, around March and September. All releases of Windows 10 have 18 months of servicing for all editions. Fall releases of the Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release.
Today, more organizations are treating deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. Microsoft has been evolving its Windows 10 release cycles, update mechanisms, and relevant tools to support this model. Feature updates are released twice per year, around March and September. All releases of Windows 10 have 18 months of servicing for all editions. Fall releases of the Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release.
Though we encourage you to deploy every available release and maintain a fast cadence for some portion of your environment, we also recognize that you might have a large number of devices, and a need for little or no disruption, an so you might choose to update annually. The 18/30 month lifecycle cadence lets you to allow some portion of you environment to move faster while a majority can move less quickly.
Though we encourage you to deploy every available release and maintain a fast cadence for some portion of your environment, we also recognize that you might have a large number of devices, and a need for little or no disruption, and so you might choose to update annually. The 18/30 month lifecycle cadence lets you allow some portion of your environment to move faster while a majority can move less quickly.
## Calendar approaches
You can use a calendar approach for either a faster twice-per-year cadence or an annual cadence. Depending on company size, installing Windows 10 feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they will stop receiving the monthly security updates.
@ -26,20 +26,22 @@ You can use a calendar approach for either a faster twice-per-year cadence or an
### Annual
Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Endpoint Configuration Manager and Microsoft 365 Apps release cycles:
![Calendar showing an annual update cadence](images/annual-calendar.png)
[ ![Calendar showing an annual update cadence](images/annual-calendar.png) ](images/annual-calendar.png#lightbox)
This approach provides approximately twelve months of use from each feature update before the next update is due to be installed. By aligning to the Windows 10, version H2 feature update, each release will be serviced for 30 months from the time of availability, giving you more flexibility when applying future feature updates.
This approach provides approximately 12 months of use from each feature update before the next update is due to be installed. By aligning to the Windows 10, version H2 feature update, each release will be serviced for 30 months from the time of availability, giving you more flexibility when applying future feature updates.
This cadence might be most suitable for you if any of these conditions apply:
- You are just starting your journey with the Windows 10 servicing process. If you are unfamiliar with new processes that support Windows 10 servicing, moving from a once every 3-5 year project to a twice a year feature update process can be daunting. This approach gives you time to learn new approaches and tools to reduce effort and cost.
- You are just starting your journey with the Windows 10 servicing process. If you are unfamiliar with new processes that support Windows 10 servicing, moving from a project happening once every three to five years to a twice-a-year feature update process can be daunting. This approach gives you time to learn new approaches and tools to reduce effort and cost.
- You want to wait and see how successful other companies are at adopting a Windows 10 feature update.
- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows 10 serviced in case business priorities change. Aligning to the Windows 10 feature update released in the second half of each calendar year, you get additional servicing for Windows 10 (30 months of servicing compared to 18 months).
### Rapid
This calendar shows an example schedule that installs each feature update as it is released, twice per year:
![Update calendar showing a faster update cadence](images/rapid-calendar.png)
[ ![Update calendar showing a faster update cadence](images/rapid-calendar.png) ](images/rapid-calendar.png#lightbox)
This cadence might be best for you if these conditions apply:

7
windows/deployment/update/plan-determine-app-readiness.md
View File

@ -1,6 +1,5 @@
---
title: Determine application readiness
ms.reviewer:
manager: laurawi
description: How to test your apps to know which need attention prior to deploying an update
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
@ -10,7 +9,7 @@ audience: itpro
ms.localizationpriority: medium
ms.audience: itpro
ms.topic: article
ms.collection: M365-modern-desktop
ms.collection: m365initiative-coredeploy
ms.author: jaimeo
author: jaimeo
---
@ -26,11 +25,11 @@ You can choose from a variety of methods to validate apps. Exactly which ones to
|Validation method |Description |
|---------|---------|
|Full regression | A full quality assurance probing. Staff who know the application very well and can validate its core functionality should do this. |
|Full regression | A full quality assurance probing. Staff who know the application well and can validate its core functionality should do this. |
|Smoke testing | The application goes through formal validation. That is, a user validates the application following a detailed plan, ideally with limited, or no knowledge of the application theyre validating. |
|Automated testing | Software performs tests automatically. The software will let you know whether the tests have passed or failed, and will provide detailed reporting for you automatically. |
|Test in pilot | You pre-select users to be in the pilot deployment group and carry out the same tasks they do on a day-to-day basis to validate the application. Normally you use this method in addition to one of the other validation types. |
|Reactive response | Applications are validated in late pilot, and no specific users are selected. These are normally applications aren't installed on many devices and arent handled by enterprise application distribution. |
|Reactive response | Applications are validated in late pilot, and no specific users are selected. These applications normally aren't installed on many devices and arent handled by enterprise application distribution. |
Combining the various validation methods with the app classifications you've previously established might look like this:

66
windows/deployment/update/prepare-deploy-windows.md
View File

@ -1,6 +1,6 @@
---
title: Prepare to deploy Windows
description:
description: Final steps to get ready to deploy Windows, including preparing infrastructure, environment, applications, devices, network, capability, and users
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
@ -10,6 +10,7 @@ ms.author: jaimeo
ms.reviewer:
manager: laurawi
ms.topic: article
ms.collection: m365initiative-coredeploy
---
# Prepare to deploy Windows
@ -31,19 +32,25 @@ Now you're ready to actually start making changes in your environment to get rea
Your infrastructure probably includes many different components and tools. Youll need to ensure your environment isnt affected by issues due to the changes you make to the various parts of the infrastructure. Follow these steps:
1. Review all of the infrastructure changes that youve identified in your plan. Its important to understand the changes that need to be made and to detail how to implement them. This prevents problems later on.
1. Review all of the infrastructure changes that youve identified in your plan. Its important to understand the changes that need to be made and to detail how to implement them. This process prevents problems later on.
2. Validate your changes. Youll validate the changes for your infrastructures components and tools, to help you understand how your changes could affect your production environment.
3. Implement the changes. Once the changes have been validated, you can implement the changes across the wider infrastructure.
You should also look at your organizations environments configuration and outline how youll implement any necessary changes previously identified in the plan phase to support the update. Consider what youll need to do for the various settings and policies that currently underpin the environment. For example:
- Implement new draft security guidance. New versions of Windows can include new features that improve your environments security. Your security teams will want to make appropriate changes to security related configurations.
- Update security baselines. Security teams understand the relevant security baselines and will have to work to make sure all baselines fit into whatever guidance they have to adhere to.
However, your configuration will consist of many different settings and policies. Its important to only apply changes where they are necessary, and where you gain a clear improvement. Otherwise, your environment might face issues that will slow down the update process. You want to ensure your environment isnt affected adversely because of changes you make. For example:
1. Review new security settings. Your security team will review the new security settings, to understand how they can best be set to facilitate the update, and to also investigate the potential effects they might have on your environment.
2. Review security baselines for changes. Security teams will also review all the necessary security baselines, to ensure the changes can be implemented, and ensure your environment remains compliant.
3. Implement and validate security settings and baseline changes. Your security teams will then implement all of the security settings and baselines, having addressed any potential outstanding issues.
@ -100,39 +107,42 @@ Set up [Delivery Optimization](waas-delivery-optimization.md) for peer network s
In the course of surveying your device population, either with Desktop Analytics or by some other means, you might find devices that have systemic problems that could interfere with update installation. Now is the time to fix those problems.
- **Low disk space:** Quality updates require a minimum of two GB to successfully install. Feature updates require between 8 and 15 GB depending upon the configuration. On Windows 10, version 1903 and later you can proactively use the "reserved storage" feature (for wipe and loads, rebuilds, and new builds) to avoid running out of disk space. If you find a group of devices that don't have enough disk space, you can often resolve this by cleaning up log files and asking users to clean up data if necessary. A good place to start is to delete the following files:
- C:\Windows\temp
- C:\Windows\cbstemp (though this file might be necessary to investigate update failures)
- C:\Windows\WindowsUpdate.log (though this file might be necessary to investigate update failures)
- C:\Windows.Old (these files should automatically clean up after 10 days or might ask the device user for permission to clean up sooner when constrained for disk space)
- **Low disk space:** Quality updates require a minimum of 2 GB to successfully install. Feature updates require between 8 GB and 15 GB depending upon the configuration. On Windows 10, version 1903 and later you can proactively use the "reserved storage" feature (for wipe and loads, rebuilds, and new builds) to avoid running out of disk space. If you find a group of devices that don't have enough disk space, you can often resolve the problem by cleaning up log files and asking users to clean up data if necessary. A good place to start is to delete the following files:
- C:\Windows\temp
- C:\Windows\cbstemp (though this file might be necessary to investigate update failures)
- C:\Windows\WindowsUpdate.log (though this file might be necessary to investigate update failures)
- C:\Windows.Old (these files should automatically clean up after 10 days or might ask the device user for permission to clean up sooner when constrained for disk space)
You can also create and run scripts to perform additional cleanup actions on devices, with administrative rights, or use Group Policy settings.
- Clean up the Windows Store Cache by running C:\Windows\sytem32\wsreset.exe
- Optimize the WinSxS folder on the client machine by using **Dism.exe /online /Cleanup-Image /StartComponentCleanup**
- Compact the operating system by running **Compact.exe /CompactOS:always**
- Clean up the Windows Store Cache by running C:\Windows\sytem32\wsreset.exe.
- Optimize the WinSxS folder on the client machine by using **Dism.exe /online /Cleanup-Image /StartComponentCleanup**.
- Compact the operating system by running **Compact.exe /CompactOS:always**.
- Remove Windows Features on Demand that the user doesn't need. See [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) for more guidance.
- Move Windows Known Folders to OneDrive. See [Use Group Policy to control OneDrive sync settings](https://docs.microsoft.com/onedrive/use-group-policy) for more information.
- Clean up the Software Distribution folder. Try deploying these commands as a batch file to run on devices to reset the download state of Windows Updates:
```
net stop wuauserv
net stop cryptSvc
net stop bits
net stop msiserver
ren C:\Windows\SoftwareDistribution C:\Windows\SoftwareDistribution.old
net start wuauserv
net start cryptSvc
net start bits
net start msiserver
```
- **Application and driver updates:** Out-of-date app or driver software can prevent devices from updating successfully. Desktop Analytics will help you identify drivers and applications that need attention. You can also
check for known issues in order to take any appropriate action. Deploy any updates from the vendor(s) for any problematic application or driver versions to resolve issues.
- **Corruption:** In rare circumstances, a device that has repeated installation errors might be corrupted in a way that prevents the system from applying a new update. You might have to repair the Component Based Store from another source. You can do this with the [System File Checker](https://support.microsoft.com/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system).
```console
net stop wuauserv
net stop cryptSvc
net stop bits
net stop msiserver
ren C:\Windows\SoftwareDistribution C:\Windows\SoftwareDistribution.old
net start wuauserv
net start cryptSvc
net start bits
net start msiserver
```
- **Application and driver updates:** Out-of-date app or driver software can prevent devices from updating successfully. Desktop Analytics will help you identify drivers and applications that need attention. You can also check for known issues in order to take any appropriate action. Deploy any updates from the vendor(s) for any problematic application or driver versions to resolve issues.
- **Corruption:** In rare circumstances, a device that has repeated installation errors might be corrupted in a way that prevents the system from applying a new update. You might have to repair the Component-Based Store from another source. You can fix the problem with the [System File Checker](https://support.microsoft.com/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system).
## Prepare capability
@ -140,14 +150,16 @@ check for known issues in order to take any appropriate action. Deploy any updat
In the plan phase, you determined the specific infrastructure and configuration changes that needed to be implemented to add new capabilities to the environment. Now you can move on to implementing those changes defined in the plan phase. You'll need to complete these higher-level tasks to gain those new capabilities:
- Enable capabilities across the environment by implementing the changes. For example, implement updates to relevant ADMX templates in Active Directory. New Windows versions will come with new policies that you use to update ADMX templates.
- Validate new changes to understand how they affect the wider environment.
- Remediate any potential problems that have been identified through validation.
## Prepare users
Users often feel like they are forced into updating their devices randomly. They often don't fully understand why an update is needed, and they don't know when updates would be applied to their devices ahead of time. It's best to ensure that upcoming updates are communicated clearly and with adequate warning.
You can employ a variety of measures to achieve this, for example:
You can employ a variety of measures to achieve this goal, for example:
- Send overview email about the update and how it will be deployed to the entire organization.
- Send personalized emails to users about the update with specific details.

43
windows/deployment/update/safeguard-holds.md Normal file
View File

@ -0,0 +1,43 @@
---
title: Safeguard holds
description: What are safeguard holds, how can you tell if one is in effect, and what to do about it
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
manager: laurawi
ms.topic: article
---
# Safeguard holds
Microsoft uses quality and compatibility data to identify issues that might cause a Windows 10 feature update to fail or roll back. When find such an issue, we might apply holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available.
Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows 10.
The lifespan of holds varies depending on the time required to investigate and fix an issue. During this time Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the hold. Once we release the hold, Windows Update will resume offering new operating system versions to devices.
Safeguard holds only affect devices that use the Window Update service for updates. We encourage IT admins who manage updates to devices through other channels (such as media installations or updates coming from Windows Server Update Services (WSUS)) to remain aware of known issues that might also be present in their environments.
## Am I affected by a safeguard hold?
IT admins can use [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) to monitor various update health metrics for devices in their organization, including ones affected by a safeguard hold that prevents them from updating to a newer operating system version.
Queries identify Safeguard IDs for each affected device, giving IT admins a detailed view into the various protections extended to devices. Safeguard IDs for publicly discussed known issues are also included in the [Windows Release Health](https://docs.microsoft.com/windows/release-information/status-windows-10-1903) dashboard, where you can easily find information related to publicly available safeguards.
On devices that use Windows Update (but not Windows Update for Business), the **Windows Update** page in the Settings app displays a message stating that an update is on its way, but not ready for the device. Instead of the option to download and install the update, users will see this message:
![Feature update message reading "The Windows 10 May 2020 Update is on its way. Once it's ready for your device, you'll see the update available on this page](images/safeguard-hold-notification.png)
If you see this message, it means one or more holds affect your device. When the issue is fixed and the update is safe to install, well release the hold and the update can resume safely.
## What can I do?
We recommend that you do not attempt to manually update until issues have been resolved and holds released.
> [!CAUTION]
> Opting out of a safeguard hold can put devices at risk from known performance issues. We strongly recommend that you complete robust testing to ensure the impact is acceptable before opting out.
With that in mind, IT admins who stay informed with [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) and the [Windows Release Health](https://docs.microsoft.com/windows/release-information/status-windows-10-1903) dashboard can choose to temporarily [opt-out of the protection of all safeguard holds](safeguard-opt-out.md) and allow an update to proceed. We recommend opting out only in an IT environment and for validation purposes. If you do opt out of a hold, this condition is temporary. Once an update is complete, protection of safeguard holds is reinstated automatically.

32
windows/deployment/update/safeguard-opt-out.md Normal file
View File

@ -0,0 +1,32 @@
---
title: Opt out of safeguard holds
description: Steps to install an update even it if has a safeguard hold applied
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
manager: laurawi
ms.topic: article
---
# Opt out of safeguard holds
Safeguard holds prevent a device with a known compatibility issue from being offered a new Windows 10 feature update by using Windows Update. We use safeguard holds to protect the device and user from a failed or poor update experience. We renew the offering once a fix is issued and is verified on an affected device. For more information about safeguard holds, see [Safeguard holds](safeguard-holds.md).
## How can I opt out of safeguard holds?
IT admins can, if necessary, opt devices out of safeguard protections by using the disable safeguards policy. In a Mobile Device Management (MDM) tool, use the **Update/DisableWUfBSafeguards** CSP. In Group Policy, use the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running Windows 10, version 1809 or later that have installed the October 2020 security update.
> [!CAUTION]
> Opting out of a safeguard hold can put devices at risk from known performance issues.
We recommend opting out only in an IT environment and for validation purposes. You can also validate an upcoming Windows 10 feature update version without the safeguards being applied by using the Release Preview channel of the Windows Insider Program for Business.
Disabling safeguards does not guarantee your device will be able to successfully update. The update might still fail and will likely result in a bad experience since you are bypassing the protection against known issues.
> [!NOTE]
> After a device installs a new Windows 10 version, the **Disable safeguards for Feature Updates** Group Policy will revert to “not configured” even if it was previously enabled. We do this to ensure the admin is consciously disabling Microsofts default protection from known issues for each new feature update.

2
windows/deployment/update/servicing-stack-updates.md
View File

@ -28,6 +28,8 @@ Servicing stack updates provide fixes to the servicing stack, the component that
Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
For information about some changes to servicing stack updates, see [Simplifing Deployment of Servicing Stack Updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-on-premises-deployment-of-servicing-stack-updates/ba-p/1646039) on the Windows IT Pro blog.
## When are they released?
Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical."

14
windows/deployment/update/update-compliance-feature-update-status.md
View File

@ -47,16 +47,6 @@ Update Compliance reporting offers two queriesto help you retrieve data relat
Update Compliance reporting will display the Safeguard IDs for known issues affecting a device in the **DeploymentErrorCode** column. Safeguard IDs for publicly discussed known issues are also included in the Windows Release Health dashboard, where you can easily find information related to publicly available safeguards.
### Opting out of safeguard hold
Microsoft will release a device from a safeguard hold when it has determined it can safely and smoothly install a feature update, but you are ultimately in control of your devices and can opt out if desired.
To opt out, set the registry key as follows:
- Registry Key Path :: **Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion**
- Create New Key :: **502505fe-762c-4e80-911e-0c3fa4c63fb0**
- Name :: **DataRequireGatedScanForFeatureUpdates**
- Type :: **REG_DWORD**
- Value :: **0**
Setting this registry key to **0** will force the device to opt out from *all* safeguard holds. Any other value, or deleting the key, will resume compatibility protection on the device.
### Opt out of safeguard hold
You can [opt out of safeguard protections](safeguard-opt-out.md) by using the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running Windows 10, version 1809 or later that have installed the October 2020 security update.

2
windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
View File

@ -39,7 +39,7 @@ Windows 10 spreads the traditional deployment effort of a Windows upgrade, which
> [!NOTE]
> This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](../planning/index.md).
>
> Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version.
> Windows 10 Enterprise LTSC is a separate Long Term Servicing Channel version.
Each time Microsoft releases a Windows 10 feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful:

9
windows/docfx.json
View File

@ -18,10 +18,11 @@
"audience": "ITPro",
"breadcrumb_path": "/itpro/windows/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.windows"
},
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.windows"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",

6
windows/hub/index.yml
View File

@ -13,7 +13,7 @@ metadata:
ms.collection: windows-10
author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
ms.author: greglin #Required; microsoft alias of author; optional team alias.
ms.date: 09/23/2020 #Required; mm/dd/yyyy format.
ms.date: 10/20/2020 #Required; mm/dd/yyyy format.
localization_priority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@ -26,12 +26,12 @@ landingContent:
linkLists:
- linkListType: overview
links:
- text: What's new in Windows 10, version 20H2
url: /windows/whats-new/whats-new-windows-10-version-20H2
- text: What's new in Windows 10, version 2004
url: /windows/whats-new/whats-new-windows-10-version-2004
- text: What's new in Windows 10, version 1909
url: /windows/whats-new/whats-new-windows-10-version-1909
- text: What's new in Windows 10, version 1903
url: /windows/whats-new/whats-new-windows-10-version-1903
- text: Windows 10 release information
url: https://docs.microsoft.com/windows/release-information/

660
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
View File

File diff suppressed because it is too large Load Diff

686
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
View File

File diff suppressed because it is too large Load Diff

1014
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
View File

File diff suppressed because it is too large Load Diff

1375
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
View File

File diff suppressed because it is too large Load Diff

2151
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
View File

File diff suppressed because it is too large Load Diff

5
windows/privacy/manage-windows-2004-endpoints.md
View File

@ -12,7 +12,7 @@ ms.author: obezeajo
manager: robsize
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 6/9/2020
ms.date: 10/22/2020
---
# Manage connection endpoints for Windows 10 Enterprise, version 2004
@ -60,9 +60,8 @@ The following methodology was used to derive these network endpoints:
||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2|www.bing.com*|
|Device metadata|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
||The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.|HTTPS|dmd.metaservices.microsoft.com|
|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
|Diagnostic Data|The following endpoints are used by the Windows Diagnostic Data, Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
|||TLSv1.2|v10.events.data.microsoft.com|
|||TLSv1.2|v20.events.data.microsoft.com|
||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|HTTPS|*.telecommand.telemetry.microsoft.com|
|||TLS v1.2|watson.*.microsoft.com|
|Font Streaming|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)|

199
windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
View File

@ -1,6 +1,6 @@
---
description: Use this article to learn more about what required Windows diagnostic data is gathered.
title: Windows 10, version 2004 required diagnostic events and fields (Windows 10)
title: Windows 10, version 20H2 and Windows 10, version 2004 required diagnostic events and fields (Windows 10)
keywords: privacy, telemetry
ms.prod: w10
ms.mktglfcycl: manage
@ -13,11 +13,11 @@ manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
audience: ITPro
ms.date: 08/31/2020
ms.date: 09/30/2020
---
# Windows 10, version 2004 required Windows diagnostic events and fields
# Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields
> [!IMPORTANT]
@ -26,6 +26,7 @@ ms.date: 08/31/2020
**Applies to**
- Windows 10, version 20H2
- Windows 10, version 2004
@ -37,7 +38,6 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
@ -1166,14 +1166,6 @@ The following fields are available:
- **PrefetchWSupport** Does the processor support PrefetchW?
### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWEndSync
Deprecated in RS3. This event indicates that a full set of SystemProcessorPrefetchWAdd events has been sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
@ -1257,14 +1249,6 @@ The following fields are available:
- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM.
### Microsoft.Windows.Appraiser.General.SystemWimEndSync
Deprecated in RS3. This event indicates that a full set of SystemWimAdd events has been sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
### Microsoft.Windows.Appraiser.General.SystemWimStartSync
This event indicates that a new set of SystemWimAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
@ -1411,7 +1395,7 @@ The following fields are available:
### MicArrayGeometry
This event provides information about the layout of the individual microphone elements in the microphone array.
This event provides information about the layout of the individual microphone elements in the microphone array. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@ -2005,7 +1989,6 @@ The following fields are available:
- **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp).
- **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer).
- **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice).
- **ext_m365a** Describes the Microsoft 365-related fields. See [Common Data Extensions.m365a](#common-data-extensionsm365a).
- **ext_mscv** Describes the correlation vector-related fields. See [Common Data Extensions.mscv](#common-data-extensionsmscv).
- **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos).
- **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk).
@ -2017,14 +2000,6 @@ The following fields are available:
- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format.
- **ver** Represents the major and minor version of the extension.
### Common Data Extensions.m365a
Describes the Microsoft 365-related fields.
The following fields are available:
- **enrolledTenantId** The enrolled tenant ID.
- **msp** A bitmask that lists the active programs.
### Common Data Extensions.mscv
@ -2123,7 +2098,7 @@ The following fields are available:
- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
- **xid** A list of base10-encoded XBOX User IDs.
## Common Data Fields
## Common data fields
### Ms.Device.DeviceInventoryChange
@ -2131,11 +2106,10 @@ Describes the installation state for all hardware and software components availa
The following fields are available:
- **action** The change that was invoked on a device inventory object.
- **inventoryId** Device ID used for Compatibility testing
- **objectInstanceId** Object identity which is unique within the device scope.
- **objectType** Indicates the object type that the event applies to.
- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
- **action** The change that was invoked on a device inventory object.
- **inventoryId** Device ID used for Compatibility testing
- **objectInstanceId** Object identity which is unique within the device scope.
- **objectType** Indicates the object type that the event applies to.
## Component-based servicing events
@ -3167,6 +3141,7 @@ The following fields are available:
- **Categories** A comma separated list of functional categories in which the container belongs.
- **DiscoveryMethod** The discovery method for the device container.
- **FriendlyName** The name of the device container.
- **Icon** Deprecated in RS3. The path or index to the icon file.
- **InventoryVersion** The version of the inventory file generating the events.
- **IsActive** Is the device connected, or has it been seen in the last 14 days?
- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link.
@ -3851,6 +3826,14 @@ The following fields are available:
- **IndicatorValue** The indicator value.
### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
This event indicates that this particular data object represented by the objectInstanceId is no longer present. This event is used to understand the OS indicators installed on the system. The data collected with this event helps ensure the device is current and Windows is up to date and performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
This event indicates that this particular data object represented by the objectInstanceId is no longer present. This event is used to understand the OS indicators installed on the system. The data collected with this event helps ensure the device is current and Windows is up to date and performing properly.
@ -4378,32 +4361,6 @@ The following fields are available:
- **totalRuns** Total number of running/evaluation from last time.
## Windows Admin Center events
### Microsoft.ServerManagementExperience.Gateway.Service.GatewayStatus
A periodic event that describes Windows Admin Center gateway app's version and other inventory and configuration parameters.
The following fields are available:
- **activeNodesByNodeId** A count of how many active nodes are on this gateway, deduplicated by Node ID.
- **activeNodesByUuid** A count of how many active nodes are on this gateway, deduplicated by UUID.
- **AvailableMemoryMByte** A snapshot of the available physical memory on the OS.
- **azureADAppRegistered** If the gateway is registered with an Azure Active Directory.
- **azureADAuthEnabled** If the gateway has enabled authentication using Azure Active Directory.
- **friendlyOsName** A user-friendly name describing the OS version.
- **gatewayCpuUtilizationPercent** A snapshot of CPU usage on the OS.
- **gatewayVersion** The version string for this currently running Gateway application.
- **gatewayWorkingSetMByte** A snapshot of the working set size of the gateway process.
- **installationType** Identifies if the gateway was installed as a VM extension.
- **installedDate** The date on which this gateway was installed.
- **logicalProcessorCount** A snapshot of the how many logical processors the machine running this gateway has.
- **otherProperties** This is an empty string, but may be used for another purpose in the future.
- **registeredNodesByNodeId** A count of how many nodes are registered with this gateway, deduplicated by Node ID.
- **registeredNodesByUuid** A count of how many nodes are registered with this gateway, deduplicated by UUID..
- **totalCpuUtilizationPercent** A snapshot of the total CPU utilization of the machine running this gateway.
## Privacy consent logging events
### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
@ -5238,6 +5195,18 @@ The following fields are available:
- **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU.
### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsCachedNotificationRetrieved
This event is sent when a notification is received. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
- **CV** A correlation vector.
- **GlobalEventCounter** This is a client side counter that indicates ordering of events sent by the user.
- **PackageVersion** The package version of the label.
- **UpdateHealthToolsBlobNotificationNotEmpty** A boolean that is true if the blob notification has valid content.
### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsDeviceInformationUploaded
This event is received when the UpdateHealthTools service uploads device information. The data collected with this event is used to help keep Windows secure and up to date.
@ -5308,6 +5277,24 @@ The following fields are available:
- **UpdateHealthToolsPushCurrentStep** The current step for the push notification
### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlobDocumentDetails
The event indicates the details about the blob used for update health tools. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
- **CV** A correlation vector.
- **GlobalEventCounter** This is a client side counter which indicates ordering of events sent by the user.
- **PackageVersion** The package version of the label.
- **UpdateHealthToolsDevicePolicyFileName** The default name of the policy blob file.
- **UpdateHealthToolsDssDeviceApiSegment** The URI segment for reading the DSS device pointer.
- **UpdateHealthToolsDssDeviceId** The AAD ID of the device used to create the device ID hash.
- **UpdateHealthToolsDssDevicePolicyApiSegment** The segment of the device policy API pointer.
- **UpdateHealthToolsDssTenantId** The tenant id of the device used to create the tenant id hash.
- **UpdateHealthToolsHashedDeviceId** The SHA256 hash of the device id.
- **UpdateHealthToolsHashedTenantId** The SHA256 hash of the device tenant id.
### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlockedByNoAADJoin
This event indicates that the device is not AAD joined so service stops. The data collected with this event is used to help keep Windows secure and up to date.
@ -5319,6 +5306,17 @@ The following fields are available:
- **PackageVersion** Current package version of UpdateHealthTools.
### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin
This event is sent when a device has been detected as DSS device. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
- **CV** A correlation vector.
- **GlobalEventCounter** This is a client side counter which indicates ordering of events sent by this user.
- **PackageVersion** The package version of the label.
### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceStarted
This event is sent when the service first starts. It is a heartbeat indicating that the service is available on the device. The data collected with this event is used to help keep Windows secure and up to date.
@ -5955,6 +5953,32 @@ The following fields are available:
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
## Windows Admin Center events
### Microsoft.ServerManagementExperience.Gateway.Service.GatewayStatus
A periodic event that describes Windows Admin Center gateway app's version and other inventory and configuration parameters.
The following fields are available:
- **activeNodesByNodeId** A count of how many active nodes are on this gateway, deduplicated by Node ID.
- **activeNodesByUuid** A count of how many active nodes are on this gateway, deduplicated by UUID.
- **AvailableMemoryMByte** A snapshot of the available physical memory on the OS.
- **azureADAppRegistered** If the gateway is registered with an Azure Active Directory.
- **azureADAuthEnabled** If the gateway has enabled authentication using Azure Active Directory.
- **friendlyOsName** A user-friendly name describing the OS version.
- **gatewayCpuUtilizationPercent** A snapshot of CPU usage on the OS.
- **gatewayVersion** The version string for this currently running Gateway application.
- **gatewayWorkingSetMByte** A snapshot of the working set size of the gateway process.
- **installationType** Identifies if the gateway was installed as a VM extension.
- **installedDate** The date on which this gateway was installed.
- **logicalProcessorCount** A snapshot of the how many logical processors the machine running this gateway has.
- **otherProperties** This is an empty string, but may be used for another purpose in the future.
- **registeredNodesByNodeId** A count of how many nodes are registered with this gateway, deduplicated by Node ID.
- **registeredNodesByUuid** A count of how many nodes are registered with this gateway, deduplicated by UUID.
- **totalCpuUtilizationPercent** A snapshot of the total CPU utilization of the machine running this gateway.
## Windows as a Service diagnostic events
### Microsoft.Windows.WaaSMedic.DetectionFailed
@ -6929,29 +6953,6 @@ The following fields are available:
- **updateId** ID of the update that is getting installed with this restart.
- **wuDeviceid** Unique device ID used by Windows Update.
### wilActivity
This event provides a Windows Internal Library context used for Product and Service diagnostics.
The following fields are available:
- **callContext** The function where the failure occurred.
- **currentContextId** The ID of the current call context where the failure occurred.
- **currentContextMessage** The message of the current call context where the failure occurred.
- **currentContextName** The name of the current call context where the failure occurred.
- **failureCount** The number of failures for this failure ID.
- **failureId** The ID of the failure that occurred.
- **failureType** The type of the failure that occurred.
- **fileName** The file name where the failure occurred.
- **function** The function where the failure occurred.
- **hresult** The HResult of the overall activity.
- **lineNumber** The line number where the failure occurred.
- **message** The message of the failure that occurred.
- **module** The module where the failure occurred.
- **originatingContextId** The ID of the originating call context that resulted in the failure.
- **originatingContextMessage** The message of the originating call context that resulted in the failure.
- **originatingContextName** The name of the originating call context that resulted in the failure.
- **threadId** The ID of the thread on which the activity is executing.
### Microsoft.Windows.Update.Orchestrator.ActivityError
@ -7358,6 +7359,29 @@ The following fields are available:
- **UpdateId** Unique ID for each Update.
- **WuId** Unique ID for the Windows Update client.
### wilActivity
This event provides a Windows Internal Library context used for Product and Service diagnostics. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
- **callContext** The function where the failure occurred.
- **currentContextId** The ID of the current call context where the failure occurred.
- **currentContextMessage** The message of the current call context where the failure occurred.
- **currentContextName** The name of the current call context where the failure occurred.
- **failureCount** The number of failures for this failure ID.
- **failureId** The ID of the failure that occurred.
- **failureType** The type of the failure that occurred.
- **fileName** The file name where the failure occurred.
- **function** The function where the failure occurred.
- **hresult** The HResult of the overall activity.
- **lineNumber** The line number where the failure occurred.
- **message** The message of the failure that occurred.
- **module** The module where the failure occurred.
- **originatingContextId** The ID of the originating call context that resulted in the failure.
- **originatingContextMessage** The message of the originating call context that resulted in the failure.
- **originatingContextName** The name of the originating call context that resulted in the failure.
- **threadId** The ID of the thread on which the activity is executing.
## Windows Update Reserve Manager events
@ -7532,8 +7556,6 @@ The following fields are available:
This event signals the completion of the setup process. It happens only once during the first logon.
## XDE events
### Microsoft.Emulator.Xde.RunTime.SystemReady
@ -7584,3 +7606,6 @@ The following fields are available:
- **virtualMachineName** VM name.
- **waitForClientConnection** True if we should wait for client connection.
- **wp81NetworkStackDisabled** WP 8.1 networking stack disabled.

4
windows/privacy/toc.yml
View File

@ -15,9 +15,9 @@
href: Microsoft-DiagnosticDataViewer.md
- name: Required Windows diagnostic data events and fields
items:
- name: Windows 10, version 2004 required Windows diagnostic data events and fields
- name: Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic data events and fields
href: required-windows-diagnostic-data-events-and-fields-2004.md
- name: Windows 10, version 1903 and Windows 10, version 1909 required level Windows diagnostic events and fields
- name: Windows 10, version 1909 and Windows 10, version 1903 required level Windows diagnostic events and fields
href: basic-level-windows-diagnostic-events-and-fields-1903.md
- name: Windows 10, version 1809 required Windows diagnostic events and fields
href: basic-level-windows-diagnostic-events-and-fields-1809.md

5
windows/privacy/windows-diagnostic-data.md
View File

@ -12,20 +12,21 @@ ms.author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/04/2019
ms.reviewer:
---
# Windows 10, version 1709 and newer optional diagnostic data
Applies to:
- Windows 10, version 20H2
- Windows 10, version 2004
- Windows 10, version 1909
- Windows 10, version 1903
- Windows 10, version 1809
- Windows 10, version 1803
- Windows 10, version 1709
Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 2004 required diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields).
Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 20H2 required diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields).
In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944:2017 Information technology -- Cloud computing -- Cloud services and devices: Data flow, data categories and data use](https://www.iso.org/standard/66674.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard.

47
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -21,8 +21,7 @@ ms.custom:
# Manage Windows Defender Credential Guard
**Applies to**
- Windows 10 <=1903 Enterprise and Education SKUs
- Windows 10 >=1909
- Windows 10 Enterprise or Education SKUs
- Windows Server 2016
- Windows Server 2019
@ -119,12 +118,15 @@ You can do this by using either the Control Panel or the Deployment Image Servic
2. Enable virtualization-based security:
- Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard.
- Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it.
- Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**.
3. Enable Windows Defender Credential Guard:
- Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA.
- Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it.
4. Close Registry Editor.
@ -145,6 +147,7 @@ DG_Readiness_Tool.ps1 -Enable -AutoReboot
> [!IMPORTANT]
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
>
> This is a known issue.
### Review Windows Defender Credential Guard performance
@ -171,6 +174,7 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
> [!IMPORTANT]
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
>
> This is a known issue.
> [!NOTE]
@ -179,15 +183,25 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
- We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard will not help to secure a device or identity that has already been compromised, which is why we recommend turning on Credential Guard as early as possible.
- You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
- **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
- **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: \[**0x0** \| **0x1** \| **0x2**\], **0**
- The first variable: **0x1** or **0x2** means that Windows Defender Credential Guard is configured to run. **0x0** means that it's not configured to run.
- The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**.
- **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Windows Defender Credential Guard.
- **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\]
- **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -&gt; **Windows** -&gt; **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
- **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: **0x0**. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: **0x1**. TPM PCR mask: **0x0**.
- **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
- **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: \[**0x0** \| **0x1** \| **0x2**\], **0**
- The first variable: **0x1** or **0x2** means that Windows Defender Credential Guard is configured to run. **0x0** means that it's not configured to run.
- The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**.
- **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Windows Defender Credential Guard.
- **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\]
- **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -&gt; **Windows** -&gt; **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
- **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: **0x0**. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: **0x1**. TPM PCR mask: **0x0**.
- You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command:
```powershell
@ -195,10 +209,13 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
```
This command generates the following output:
- **0**: Windows Defender Credential Guard is disabled (not running)
- **1**: Windows Defender Credential Guard is enabled (running)
> [!NOTE]
> Checking the task list or Task Manager to see if LSAISO.exe is running is not a recommended method for determining whether Windows Defender Credential Guard is running.
> [!NOTE]
> Checking the task list or Task Manager to see if LSAISO.exe is running is not a recommended method for determining whether Windows Defender Credential Guard is running.
## Disable Windows Defender Credential Guard
@ -207,12 +224,15 @@ To disable Windows Defender Credential Guard, you can use the following set of p
1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Device Guard** -&gt; **Turn on Virtualization Based Security**).
2. Delete the following registry settings:
- HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags
- HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\LsaCfgFlags
3. If you also wish to disable virtualization-based security delete the following registry settings:
- HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity
- HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures
> [!IMPORTANT]
> If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
@ -261,6 +281,7 @@ DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot
> [!IMPORTANT]
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
>
> This is a known issue.
#### Disable Windows Defender Credential Guard for a virtual machine

6
windows/security/identity-protection/credential-guard/credential-guard-requirements.md
View File

@ -58,11 +58,11 @@ For information about Windows Defender Remote Credential Guard hardware and soft
When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatibility with the reduced functionality.
>[!WARNING]
> [!WARNING]
> Enabling Windows Defender Credential Guard on domain controllers is not supported.
> The domain controller hosts authentication services which integrate with processes isolated when Windows Defender Credential Guard is enabled, causing crashes.
>[!NOTE]
> [!NOTE]
> Windows Defender Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Windows Defender Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).
Applications will break if they require:
@ -140,7 +140,7 @@ The following table lists qualifications for Windows 10, version 1703, which are
> [!IMPORTANT]
>
>Regarding **VBS enablement of NX protection for UEFI runtime services**:
> Regarding **VBS enablement of NX protection for UEFI runtime services**:
>
> - This only applies to UEFI runtime service memory, and not UEFI boot service memory.
>

2
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
View File

@ -39,7 +39,7 @@ Clients need to trust domain controllers and the best way to do this is to ensur
Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template.
By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template a baseline to create an updated domain controller certificate template.
By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template as a baseline to create an updated domain controller certificate template.
#### Create a Domain Controller Authentication (Kerberos) Certificate Template

21
windows/security/identity-protection/remote-credential-guard.md
View File

@ -53,7 +53,7 @@ Use the following table to compare different Remote Desktop connection security
<br />
| **Feature** | **Remote Desktop** | **Windows Defender Remote Credential Guard** | **Restricted Admin mode** |
| Feature | Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode |
|--------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the “domain user”. Any attack is local to the server |
| **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**. <br /><br />For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). |
@ -67,7 +67,7 @@ Use the following table to compare different Remote Desktop connection security
<br />
For further technical information, see [Remote Desktop Protocol](https://msdn.microsoft.com/library/aa383015(v=vs.85).aspx)
and [How Kerberos works](https://technet.microsoft.com/library/cc961963.aspx(d=robot))
and [How Kerberos works](https://technet.microsoft.com/library/cc961963.aspx(d=robot)).
<br />
@ -93,8 +93,11 @@ To use Windows Defender Remote Credential Guard, the Remote Desktop client and r
The Remote Desktop client device:
- Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine.
- Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the users signed-in credentials. This requires the users account be able to sign in to both the client device and the remote host.
- Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard.
- Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk.
The Remote Desktop remote host:
@ -108,9 +111,13 @@ There are no hardware requirements for Windows Defender Remote Credential Guard.
> [!NOTE]
> Remote Desktop client devices running earlier versions, at minimum Windows 10 version 1607, only support signed-in credentials, so the client device must also be joined to an Active Directory domain. Both Remote Desktop client and server must either be joined to the same domain, or the Remote Desktop server can be joined to a domain that has a trust relationship to the client device's domain.
>
> GPO [Remote host allows delegation of non-exportable credentials](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialsdelegation) should be enabled for delegation of non-exportable credentials.
- For Windows Defender Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication.
- The remote host must be running at least Windows 10 version 1607, or Windows Server 2016.
- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Windows Defender Remote Credential Guard.
## Enable Windows Defender Remote Credential Guard
@ -118,15 +125,20 @@ There are no hardware requirements for Windows Defender Remote Credential Guard.
You must enable Restricted Admin or Windows Defender Remote Credential Guard on the remote host by using the Registry.
1. Open Registry Editor on the remote host.
2. Enable Restricted Admin and Windows Defender Remote Credential Guard:
- Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.
- Add a new DWORD value named **DisableRestrictedAdmin**.
- To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0 to turn on Windows Defender Remote Credential Guard.
3. Close Registry Editor.
You can add this by running the following command from an elevated command prompt:
```
```console
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD
```
@ -143,6 +155,7 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C
![Windows Defender Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png)
3. Under **Use the following restricted mode**:
- If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Windows Defender Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used.
> [!NOTE]
@ -163,7 +176,7 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C
If you don't use Group Policy in your organization, or if not all your remote hosts support Remote Credential Guard, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Windows Defender Remote Credential Guard for that connection.
```
```console
mstsc.exe /remoteGuard
```

29
windows/security/identity-protection/user-account-control/how-user-account-control-works.md
View File

@ -109,9 +109,7 @@ To better understand each component, review the table below:
<th>Description</th>
</tr>
<tr>
<td>
<p><b>User</b></p>
</td>
<th colspan="2">User</th>
</tr>
<tr>
<td>
@ -138,9 +136,7 @@ To better understand each component, review the table below:
</td>
</tr>
<tr>
<td>
<p><b>System</b></p>
</td>
<th colspan="2">System</th>
</tr>
<tr>
<td>
@ -248,8 +244,7 @@ To better understand each component, review the table below:
</td>
</tr>
<tr>
<td>
<p><b>Kernel</b></p>
<th colspan="2">Kernel</th>
</td>
</tr>
<tr>
@ -276,9 +271,11 @@ The slider will never turn UAC completely off. If you set it to <b>Never notify<
- Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt.
- Automatically deny all elevation requests for standard users.
> **Important:** In order to fully disable UAC you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**.
>
> **Warning:** Universal Windows apps will not work when UAC is disabled.
> [!IMPORTANT]
> In order to fully disable UAC you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**.
> [!WARNING]
> Some Universal Windows Platform apps may not work when UAC is disabled.
### Virtualization
@ -291,7 +288,9 @@ Most app tasks operate properly by using virtualization features. Although virtu
Virtualization is not an option in the following scenarios:
- Virtualization does not apply to apps that are elevated and run with a full administrative access token.
- Virtualization supports only 32-bit apps. Non-elevated 64-bit apps simply receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations.
- Virtualization is disabled if the app includes an app manifest with a requested execution level attribute.
### Request execution levels
@ -319,6 +318,8 @@ Before a 32-bit process is created, the following attributes are checked to dete
- Key attributes in the resource script data are linked in the executable file.
- There are targeted sequences of bytes within the executable file.
> **Note:** The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.
>
> **Note:** The User Account Control: Detect application installations and prompt for elevation policy setting must be enabled for installer detection to detect installation programs. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
> [!NOTE]
> The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.
> [!NOTE]
> The User Account Control: Detect application installations and prompt for elevation policy setting must be enabled for installer detection to detect installation programs. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).

218
windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
View File

@ -20,9 +20,9 @@ ms.custom: bitlocker
# BitLocker recovery guide
**Applies to**
**Applies to:**
- Windows 10
- Windows 10
This topic for IT professionals describes how to recover BitLocker keys from AD DS.
@ -32,56 +32,58 @@ This article assumes that you understand how to set up AD DS to back up BitLock
This article does not detail how to configure AD DS to store the BitLocker recovery information.
## <a href="" id="bkmk-whatisrecovery"></a>What is BitLocker recovery?
BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. In a recovery scenario, you have the following options to restore access to the drive:
- The user can supply the recovery password. If your organization allows users to print or store recovery passwords, the user can type in the 48-digit recovery password that they printed or stored on a USB drive or with your Microsoft Account online. (Saving a recovery password with your Microsoft Account online is only allowed when BitLocker is used on a PC that is not a member of a domain).
- A data recovery agent can use their credentials to unlock the drive. If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it.
- A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive. Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in their organization if needed. This method requires that you have enabled this recovery method in the BitLocker Group Policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
- The user can supply the recovery password. If your organization allows users to print or store recovery passwords, the user can type in the 48-digit recovery password that they printed or stored on a USB drive or with your Microsoft Account online. (Saving a recovery password with your Microsoft Account online is only allowed when BitLocker is used on a PC that is not a member of a domain).
- A data recovery agent can use their credentials to unlock the drive. If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it.
- A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive. Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in their organization if needed. This method requires that you have enabled this recovery method in the BitLocker Group Policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
### What causes BitLocker recovery?
The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:
- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/microsoft-intune)), to limit the number of failed password attempts before the device goes into Device Lockout.
- On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised.
- Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
- Failing to boot from a network drive before booting from the hard drive.
- Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. This means that if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked.
- Changes to the NTFS partition table on the disk including creating, deleting, or resizing a primary partition.
- Entering the personal identification number (PIN) incorrectly too many times so that the anti-hammering logic of the TPM is activated. Anti-hammering logic is software or hardware methods that increase the difficulty and cost of a brute force attack on a PIN by not accepting PIN entries until after a certain amount of time has passed.
- Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if you are using USB-based keys instead of a TPM.
- Turning off, disabling, deactivating, or clearing the TPM.
- Upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade, causing the related boot measurements to change.
- Forgetting the PIN when PIN authentication has been enabled.
- Updating option ROM firmware.
- Upgrading TPM firmware.
- Adding or removing hardware; for example, inserting a new card in the computer, including some PCMIA wireless cards.
- Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
- Changes to the master boot record on the disk.
- Changes to the boot manager on the disk.
- Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM does not respond to commands from any software.
- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This can prevent the entry of enhanced PINs.
- Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change.
- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/microsoft-intune)), to limit the number of failed password attempts before the device goes into Device Lockout.
- On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised.
- Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
- Failing to boot from a network drive before booting from the hard drive.
- Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. This means that if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked.
- Changes to the NTFS partition table on the disk including creating, deleting, or resizing a primary partition.
- Entering the personal identification number (PIN) incorrectly too many times so that the anti-hammering logic of the TPM is activated. Anti-hammering logic is software or hardware methods that increase the difficulty and cost of a brute force attack on a PIN by not accepting PIN entries until after a certain amount of time has passed.
- Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if you are using USB-based keys instead of a TPM.
- Turning off, disabling, deactivating, or clearing the TPM.
- Upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade, causing the related boot measurements to change.
- Forgetting the PIN when PIN authentication has been enabled.
- Updating option ROM firmware.
- Upgrading TPM firmware.
- Adding or removing hardware; for example, inserting a new card in the computer, including some PCMIA wireless cards.
- Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
- Changes to the master boot record on the disk.
- Changes to the boot manager on the disk.
- Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM does not respond to commands from any software.
- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This can prevent the entry of enhanced PINs.
- Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change.
> [!NOTE]
> Some computers have BIOS settings that skip measurements to certain PCRs, such as **PCR\[2\]**. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different.
- Moving the BitLocker-protected drive into a new computer.
- Upgrading the motherboard to a new one with a new TPM.
- Losing the USB flash drive containing the startup key when startup key authentication has been enabled.
- Failing the TPM self-test.
- Having a BIOS, UEFI firmware, or an option ROM component that is not compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode.
- Changing the usage authorization for the storage root key of the TPM to a non-zero value.
- Moving the BitLocker-protected drive into a new computer.
- Upgrading the motherboard to a new one with a new TPM.
- Losing the USB flash drive containing the startup key when startup key authentication has been enabled.
- Failing the TPM self-test.
- Having a BIOS, UEFI firmware, or an option ROM component that is not compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode.
- Changing the usage authorization for the storage root key of the TPM to a non-zero value.
> [!NOTE]
> The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value.
- Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr).
- Pressing the F8 or F10 key during the boot process.
- Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards.
- Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive.
- Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr).
- Pressing the F8 or F10 key during the boot process.
- Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards.
- Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive.
> [!NOTE]
> Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker will reseal the encryption key to the current values of the measured components.
@ -95,26 +97,28 @@ If software maintenance requires the computer be restarted and you are using two
Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user.
## <a href="" id="bkmk-testingrecovery"></a>Testing recovery
Before you create a thorough BitLocker recovery process, we recommend that you test how the recovery process works for both end users (people who call your helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The forcerecovery command of manage-bde is an easy way for you to step through the recovery process before your users encounter a recovery situation.
**To force a recovery for the local computer**
**To force a recovery for the local computer:**
1. Click the **Start** button, type **cmd** in the **Start Search** box, right-click **cmd.exe**, and then click **Run as administrator**.
2. At the command prompt, type the following command and then press ENTER:
1. Click the **Start** button, type **cmd** in the **Start Search** box, right-click **cmd.exe**, and then click **Run as administrator**.
2. At the command prompt, type the following command and then press ENTER:
`manage-bde -forcerecovery <BitLockerVolume>`
**To force recovery for a remote computer**
**To force recovery for a remote computer:**
1. On the Start screen, type **cmd.exe**, and then click **Run as administrator**.
2. At the command prompt, type the following command and then press ENTER:
1. On the Start screen, type **cmd.exe**, and then click **Run as administrator**.
2. At the command prompt, type the following command and then press ENTER:
`manage-bde -ComputerName <RemoteComputerName> -forcerecovery <BitLockerVolume>`
> [!NOTE]
> Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the `-forcerecovery` option is not recommended because BitLocker will have to be unlocked and disabled manually from the WinRE environment before the OS can boot up again. For more information, see [BitLocker Troubleshooting: Continuous reboot loop with BitLocker recovery on a slate device](https://social.technet.microsoft.com/wiki/contents/articles/18671.bitlocker-troubleshooting-continuous-reboot-loop-with-bitlocker-recovery-on-a-slate-device.aspx).
## <a href="" id="bkmk-planningrecovery"></a>Planning your recovery process
When planning the BitLocker recovery process, first consult your organization's current best practices for recovering sensitive information. For example: How does your enterprise handle lost Windows passwords? How does your organization perform smart card PIN resets? You can use these best practices and related resources (people and tools) to help formulate a BitLocker recovery model.
@ -125,26 +129,29 @@ After a BitLocker recovery has been initiated, users can use a recovery password
When you determine your recovery process, you should:
- Become familiar with how you can retrieve the recovery password. See:
- Become familiar with how you can retrieve the recovery password. See:
- [Self-recovery](#bkmk-selfrecovery)
- [Recovery password retrieval](#bkmk-recoveryretrieval)
- [Self-recovery](#bkmk-selfrecovery)
- [Recovery password retrieval](#bkmk-recoveryretrieval)
- Determine a series of steps for post-recovery, including analyzing why the recovery occurred and resetting the recovery password. See:
- Determine a series of steps for post-recovery, including analyzing why the recovery occurred and resetting the recovery password. See:
- [Post-recovery analysis](#bkmk-planningpostrecovery)
- [Post-recovery analysis](#bkmk-planningpostrecovery)
### <a href="" id="bkmk-selfrecovery"></a>Self-recovery
In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization create a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users should be warned not to store the USB flash drive in the same place as the PC, especially during travel, for example if both the PC and the recovery items are in the same bag it would be very easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified.
### <a href="" id="bkmk-recoveryretrieval"></a>Recovery password retrieval
If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain the recovery password can be backed up to AD DS. However, this does not happen by default, you must have configured the appropriate Group Policy settings before BitLocker was enabled on the PC. BitLocker Group Policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.
- **Choose how BitLocker-protected operating system drives can be recovered**
- **Choose how BitLocker-protected fixed drives can be recovered**
- **Choose how BitLocker-protected removable drives can be recovered**
- **Choose how BitLocker-protected operating system drives can be recovered**
- **Choose how BitLocker-protected fixed drives can be recovered**
- **Choose how BitLocker-protected removable drives can be recovered**
In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS). Select the **Do not enable BitLocker until recovery information is stored in AD
DS** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds.
@ -155,24 +162,28 @@ The BitLocker Recovery Password Viewer for Active Directory Users and Computers
You can use the following list as a template for creating your own recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool.
- [Record the name of the user's computer](#bkmk-recordcomputername)
- [Verify the user's identity](#bkmk-verifyidentity)
- [Locate the recovery password in AD DS](#bkmk-locatepassword)
- [Gather information to determine why recovery occurred](#bkmk-gatherinfo)
- [Give the user the recovery password](#bkmk-givepassword)
- [Record the name of the user's computer](#bkmk-recordcomputername)
- [Verify the user's identity](#bkmk-verifyidentity)
- [Locate the recovery password in AD DS](#bkmk-locatepassword)
- [Gather information to determine why recovery occurred](#bkmk-gatherinfo)
- [Give the user the recovery password](#bkmk-givepassword)
### <a href="" id="bkmk-recordcomputername"></a>Record the name of the user's computer
You can use the name of the user's computer to locate the recovery password in AD DS. If the user does not know the name of the computer, ask the user to read the first word of the **Drive Label** in the **BitLocker Drive Encryption Password Entry** user interface. This is the computer name when BitLocker was enabled and is probably the current name of the computer.
### <a href="" id="bkmk-verifyidentity"></a>Verify the user's identity
You should verify that the person that is asking for the recovery password is truly the authorized user of that computer. You may also wish to verify that the computer with the name the user provided belongs to the user.
### <a href="" id="bkmk-locatepassword"></a>Locate the recovery password in AD DS
Locate the Computer object with the matching name in AD DS. Because Computer object names are listed in the AD DS global catalog, you should be able to locate the object even if you have a multi-domain forest.
### Multiple recovery passwords
If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date that the password was created.
@ -181,10 +192,12 @@ If at any time you are unsure what password to provide, or if you think you migh
Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID will find the correct password to unlock the encrypted volume.
### <a href="" id="bkmk-gatherinfo"></a>Gather information to determine why recovery occurred
Before you give the user the recovery password, you should gather any information that will help determine why the recovery was needed, in order to analyze the root cause during the post-recovery analysis. For more info about post-recovery analysis, see [Post-recovery analysis](#bkmk-planningpostrecovery).
### <a href="" id="bkmk-givepassword"></a>Give the user the recovery password
Because the recovery password is 48 digits long the user may need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password.
@ -192,15 +205,17 @@ Because the recovery password is 48 digits long the user may need to record the
> [!NOTE]
> Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors.
### <a href="" id="bkmk-planningpostrecovery"></a>Post-recovery analysis
When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption
when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted.
If you notice that a computer is having repeated recovery password unlocks, you might want to have an administrator can perform post-recovery analysis to determine the root cause of the recovery and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. See:
If you notice that a computer is having repeated recovery password unlocks, you might want to have an administrator perform post-recovery analysis to determine the root cause of the recovery and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. See:
- [Determine the root cause of the recovery](#bkmk-determinecause)
- [Refresh BitLocker protection](#bkmk-refreshprotection)
- [Determine the root cause of the recovery](#bkmk-determinecause)
- [Refresh BitLocker protection](#bkmk-refreshprotection)
### <a href="" id="bkmk-determinecause"></a>Determine the root cause of the recovery
@ -210,15 +225,16 @@ While an administrator can remotely investigate the cause of recovery in some ca
Review and answer the following questions for your organization:
1. What BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC?
2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be?
3. If TPM mode was in effect, was recovery caused by a boot file change?
4. If recovery was caused by a boot file change, is this due to an intended user action (for example, BIOS upgrade), or to malicious software?
5. When was the user last able to start the computer successfully, and what might have happened to the computer since then?
6. Might the user have encountered malicious software or left the computer unattended since the last successful startup?
1. What BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC?
2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be?
3. If TPM mode was in effect, was recovery caused by a boot file change?
4. If recovery was caused by a boot file change, is this due to an intended user action (for example, BIOS upgrade), or to malicious software?
5. When was the user last able to start the computer successfully, and what might have happened to the computer since then?
6. Might the user have encountered malicious software or left the computer unattended since the last successful startup?
To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, **manage-bde -status**). Scan the event log to find events that help indicate why recovery was initiated (for example, if boot file change occurred). Both of these capabilities can be performed remotely.
### <a href="" id="bkmk-refreshprotection"></a>Resolve the root cause
After you have identified what caused recovery, you can reset BitLocker protection and avoid recovery on every startup.
@ -231,18 +247,21 @@ The details of this reset can vary according to the root cause of the recovery.
- [Unknown PIN](#bkmk-unknownpin)
- [Lost startup key](#bkmk-loststartup)
- [Changes to boot files](#bkmk-changebootknown)
### <a href="" id="bkmk-unknownpin"></a>Unknown PIN
### <a href="" id="bkmk-unknownpin"></a>Unknown PIN
If a user has forgotten the PIN, you must reset the PIN while you are logged on to the computer in order to prevent BitLocker from initiating recovery each time the computer is restarted.
**To prevent continued recovery due to an unknown PIN**
1. Unlock the computer using the recovery password.
2. Reset the PIN:
1. Right-click the drive and then click **Change PIN**
2. In the BitLocker Drive Encryption dialog, click **Reset a forgotten PIN**. If you are not logged in with an administrator account you must provide administrative credentials at this time.
3. In the PIN reset dialog, provide and confirm the new PIN to use and then click **Finish**.
3. You will use the new PIN the next time you unlock the drive.
1. Unlock the computer using the recovery password.
2. Reset the PIN:
1. Right-click the drive and then click **Change PIN**.
2. In the BitLocker Drive Encryption dialog, click **Reset a forgotten PIN**. If you are not logged in with an administrator account you must provide administrative credentials at this time.
3. In the PIN reset dialog, provide and confirm the new PIN to use and then click **Finish**.
3. You will use the new PIN the next time you unlock the drive.
### <a href="" id="bkmk-loststartup"></a>Lost startup key
@ -250,22 +269,26 @@ If you have lost the USB flash drive that contains the startup key, then you mus
**To prevent continued recovery due to a lost startup key**
1. Log on as an administrator to the computer that has the lost startup key.
2. Open Manage BitLocker.
3. Click **Duplicate start up key**, insert the clean USB drive on which you are going to write the key and then click **Save**.
1. Log on as an administrator to the computer that has the lost startup key.
2. Open Manage BitLocker.
3. Click **Duplicate start up key**, insert the clean USB drive on which you are going to write the key and then click **Save**.
### <a href="" id="bkmk-changebootknown"></a>Changes to boot files
This error might occur if you updated the firmware. As a best practice you should suspend BitLocker before making changes the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time.
This error might occur if you updated the firmware. As a best practice you should suspend BitLocker before making changes to the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time.
## Windows RE and BitLocker Device Encryption
Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLockerprotected drives.
## BitLocker recovery screen
During BitLocker recovery, Windows can display a custom recovery message and hints that identify where a key can be retrieved from. These improvements can help a user during BitLocker recovery.
### Custom recovery message
BitLocker Group Policy settings in Windows 10, version 1511, let you configure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support.
@ -281,9 +304,10 @@ Example of customized recovery screen:
![Customized BitLocker Recovery Screen](./images/bl-password-hint1.png)
### BitLocker recovery key hints
BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where key has been saved. Hints are displayed in both the modern (blue) and legacy (black) recovery screen. This applies to both the bootmanager recovery screen and the WinRE unlock screen.
BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed in both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen.
![Customized BitLocker recovery screen](./images/bl-password-hint2.png)
@ -302,6 +326,7 @@ There are rules governing which hint is shown during the recovery (in order of p
8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, "Contact your organization's help desk," will be displayed.
9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system will ask for a key that has been backed up, even if another key is newer.
#### Example 1 (single recovery key with single backup)
| Custom URL | Yes |
@ -316,6 +341,7 @@ There are rules governing which hint is shown during the recovery (in order of p
![Example 1 of Customized BitLocker recovery screen](./images/rp-example1.PNG)
#### Example 2 (single recovery key with single backup)
| Custom URL | Yes |
@ -330,6 +356,7 @@ There are rules governing which hint is shown during the recovery (in order of p
![Example 2 of customized BitLocker recovery screen](./images/rp-example2.PNG)
#### Example 3 (single recovery key with multiple backups)
| Custom URL | No |
@ -344,6 +371,7 @@ There are rules governing which hint is shown during the recovery (in order of p
![Example 3 of customized BitLocker recovery screen](./images/rp-example3.PNG)
#### Example 4 (multiple recovery passwords)
| Custom URL | No |
@ -373,6 +401,7 @@ There are rules governing which hint is shown during the recovery (in order of p
![Example 4 of customized BitLocker recovery screen](./images/rp-example4.PNG)
#### Example 5 (multiple recovery passwords)
| Custom URL | No |
@ -402,10 +431,12 @@ There are rules governing which hint is shown during the recovery (in order of p
![Example 5 of customized BitLocker recovery screen](./images/rp-example5.PNG)
## <a href="" id="bkmk-usingaddrecovery"></a>Using additional recovery information
Besides the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. This section describes how this additional information can be used.
### BitLocker key package
If the recovery methods discussed earlier in this document do not unlock the volume, you can use the BitLocker Repair tool to decrypt the volume at the block level. The tool uses the BitLocker key package to help recover encrypted data from severely damaged drives. You can then use this recovered data to salvage encrypted data, even after the correct recovery password has failed to unlock the damaged volume. We recommend that you still save the recovery password. A key package cannot be used without the corresponding recovery password.
@ -415,36 +446,37 @@ If the recovery methods discussed earlier in this document do not unlock the vol
The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS you must select the **Backup recovery password and key package** option in the Group Policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc).
## <a href="" id="bkmk-appendixb"></a>Resetting recovery passwords
You should invalidate a recovery password after it has been provided and used. It should also be done when you intentionally want to invalidate an existing recovery password for any reason.
You can reset the recovery password in two ways:
- **Use manage-bde** You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method.
- **Run a script** You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords.
- **Use manage-bde** You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method.
- **Run a script** You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords.
**To reset a recovery password using manage-bde**
**To reset a recovery password using manage-bde:**
1. Remove the previous recovery password
1. Remove the previous recovery password
```powershell
Manage-bde protectors delete C: type RecoveryPassword
```
2. Add the new recovery password
2. Add the new recovery password
```powershell
Manage-bde protectors add C: -RecoveryPassword
```
3. Get the ID of the new recovery password. From the screen copy the ID of the recovery password.
3. Get the ID of the new recovery password. From the screen copy the ID of the recovery password.
```powershell
Manage-bde protectors get C: -Type RecoveryPassword
```
4. Backup the new recovery password to AD DS
4. Backup the new recovery password to AD DS
```powershell
Manage-bde protectors adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
@ -453,10 +485,10 @@ You can reset the recovery password in two ways:
> [!WARNING]
> You must include the braces in the ID string.
**To run the sample recovery password script**
**To run the sample recovery password script:**
1. Save the following sample script in a VBScript file. For example: ResetPassword.vbs.
2. At the command prompt, type a command similar to the following:
1. Save the following sample script in a VBScript file. For example: ResetPassword.vbs.
2. At the command prompt, type a command similar to the following:
**cscript ResetPassword.vbs**
@ -466,7 +498,7 @@ You can reset the recovery password in two ways:
> [!NOTE]
> To manage a remote computer, you can specify the remote computer name rather than the local computer name.
You can use the following sample script to create a VBScript file to reset the recovery passwords.
You can use the following sample script to create a VBScript file to reset the recovery passwords:
```vb
' Target drive letter
@ -539,23 +571,24 @@ WScript.Echo "A new recovery password has been added. Old passwords have been re
'WScript.Echo "Type ""manage-bde -protectors -get " & strDriveLetter & " -type recoverypassword"" to view existing passwords."
```
## <a href="" id="bkmk-appendixc"></a>Retrieving the BitLocker key package
You can use two methods to retrieve the key package, as described in [Using Additional Recovery Information](#bkmk-usingaddrecovery):
- **Export a previously-saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS.
- **Export a new key package from an unlocked, BitLocker-protected volume.** You must have local administrator access to the working volume, before any damage has occurred.
- **Export a previously-saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS.
- **Export a new key package from an unlocked, BitLocker-protected volume.** You must have local administrator access to the working volume, before any damage has occurred.
The following sample script exports all previously-saved key packages from AD DS.
**To run the sample key package retrieval script**
**To run the sample key package retrieval script:**
1. Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackageADDS.vbs.
2. At the command prompt, type a command similar to the following:
**cscript GetBitLockerKeyPackageADDS.vbs -?**
You can use the following sample script to create a VBScript file to retrieve the BitLocker key package from AD DS.
You can use the following sample script to create a VBScript file to retrieve the BitLocker key package from AD DS:
```vb
' --------------------------------------------------------------------------------
@ -697,7 +730,7 @@ WScript.Quit
The following sample script exports a new key package from an unlocked, encrypted volume.
**To run the sample key package retrieval script**
**To run the sample key package retrieval script:**
1. Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackage.vbs
2. Open an administrator command prompt, type a command similar to the following:
@ -882,6 +915,7 @@ Function BinaryToString(Binary)
End Function
```
## See also
- [BitLocker overview](bitlocker-overview.md)
- [BitLocker overview](bitlocker-overview.md)

10
windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
View File

@ -82,20 +82,24 @@ Beginning with Windows 10 version 1809, you can use Security Center to check if
### Using System information
1. Launch MSINFO32.exe in a command prompt, or in the Windows search bar.
2. Check the value of **Kernel DMA Protection**.
![Kernel DMA protection in System Information](bitlocker/images/kernel-dma-protection.png)
3. If the current state of **Kernel DMA Protection** is OFF and **Hyper-V - Virtualization Enabled in Firmware** is NO:
- Reboot into BIOS settings
- Turn on Intel Virtualization Technology.
- Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md).
- Reboot system into Windows 10.
>[!NOTE]
> **Hyper-V - Virtualization Enabled in Firmware** is NOT shown when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is shown because this means that **Hyper-V - Virtualization Enabled in Firmware** is YES.
>[!NOTE]
> **Hyper-V - Virtualization Enabled in Firmware** is NOT shown when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is shown because this means that **Hyper-V - Virtualization Enabled in Firmware** is YES and the **Hyper-V** Windows feature is enabled. Enabling both is needed to enable **Kernel DMA Protection** even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-kernel-dma-protection).
4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature.
For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
## Frequently asked questions

36
windows/security/threat-protection/TOC.md
View File

@ -49,18 +49,27 @@
#### [PowerShell, WMI, and MPCmdRun.exe](microsoft-defender-atp/manage-atp-post-migration-other-tools.md)
## [Security administration]()
### [Threat & Vulnerability Management]()
#### [Overview of Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
#### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
#### [Dashboard insights](microsoft-defender-atp/tvm-dashboard-insights.md)
#### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
#### [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md)
#### [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md)
#### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md)
#### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
#### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md)
#### [Event timeline](microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md)
#### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md)
### [Threat & vulnerability management]()
#### [Overview](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
#### [Get started]()
##### [Permissions & prerequisites](microsoft-defender-atp/tvm-prerequisites.md)
##### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
##### [Assign device value](microsoft-defender-atp/tvm-assign-device-value.md)
#### [Assess your security posture]()
##### [Dashboard insights](microsoft-defender-atp/tvm-dashboard-insights.md)
##### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
##### [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md)
#### [Improve your security posture & reduce risk]()
##### [Address security recommendations](microsoft-defender-atp/tvm-security-recommendation.md)
##### [Remediate vulnerabilities](microsoft-defender-atp/tvm-remediation.md)
##### [Exceptions for security recommendations](microsoft-defender-atp/tvm-exception.md)
##### [Plan for end-of-support software](microsoft-defender-atp/tvm-end-of-support-software.md)
#### [Understand vulnerabilities on your devices]()
##### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
##### [Vulnerabilities in my organization](microsoft-defender-atp/tvm-weaknesses.md)
##### [Event timeline](microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md)
##### [Hunt for exposed devices](microsoft-defender-atp/tvm-hunt-exposed-devices.md)
### [Attack surface reduction]()
#### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)
@ -388,6 +397,7 @@
### [Automated investigation and response (AIR)]()
#### [Overview of AIR](microsoft-defender-atp/automated-investigations.md)
#### [Automation levels in AIR](microsoft-defender-atp/automation-levels.md)
#### [Configure AIR capabilities](microsoft-defender-atp/configure-automated-investigations-remediation.md)
### [Advanced hunting]()
@ -448,7 +458,7 @@
##### [Onboard devices using a local script](microsoft-defender-atp/configure-endpoints-script.md)
##### [Onboard non-persistent virtual desktop infrastructure (VDI) devices](microsoft-defender-atp/configure-endpoints-vdi.md)
#### [Onboard servers](microsoft-defender-atp/configure-server-endpoints.md)
#### [Onboard Windows servers](microsoft-defender-atp/configure-server-endpoints.md)
#### [Onboard non-Windows devices](microsoft-defender-atp/configure-endpoints-non-windows.md)
#### [Onboard devices without Internet access](microsoft-defender-atp/onboard-offline-machines.md)
#### [Run a detection test on a newly onboarded device](microsoft-defender-atp/run-detection-test.md)

33
windows/security/threat-protection/auditing/basic-audit-logon-events.md
View File

@ -38,33 +38,12 @@ You can configure this security setting by opening the appropriate policy under
| Logon events | Description |
| - | - |
| 528 | A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below. |
| 529 | Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. |
| 530 | Logon failure. A logon attempt was made user account tried to log on outside of the allowed time. |
| 531 | Logon failure. A logon attempt was made using a disabled account. |
| 532 | Logon failure. A logon attempt was made using an expired account. |
| 533 | Logon failure. A logon attempt was made by a user who is not allowed to log on at this computer. |
| 534 | Logon failure. The user attempted to log on with a type that is not allowed. |
| 535 | Logon failure. The password for the specified account has expired. |
| 536 | Logon failure. The Net Logon service is not active. |
| 537 | Logon failure. The logon attempt failed for other reasons. |
| 538 | The logoff process was completed for a user. |
| 539 | Logon failure. The account was locked out at the time the logon attempt was made. |
| 540 | A user successfully logged on to a network. |
| 541 | Main mode Internet Key Exchange (IKE) authentication was completed between the local computer and the listed peer identity (establishing a security association), or quick mode has established a data channel. |
| 542 | A data channel was terminated. |
| 543 | Main mode was terminated. |
| 544 | Main mode authentication failed because the peer did not provide a valid certificate or the signature was not validated. |
| 545 | Main mode authentication failed because of a Kerberos failure or a password that is not valid. |
| 546 | IKE security association establishment failed because the peer sent a proposal that is not valid. A packet was received that contained data that is not valid. |
| 547 | A failure occurred during an IKE handshake. |
| 548 | Logon failure. The security ID (SID) from a trusted domain does not match the account domain SID of the client. |
| 549 | Logon failure. All SIDs corresponding to untrusted namespaces were filtered out during an authentication across forests. |
| 550 | Notification message that could indicate a possible denial-of-service attack. |
| 551 | A user initiated the logoff process. |
| 552 | A user successfully logged on to a computer using explicit credentials while already logged on as a different user. |
| 682 | A user has reconnected to a disconnected terminal server session. |
| 683 | A user disconnected a terminal server session without logging off. |
| 4624 | A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below. |
| 4625 | Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. |
| 4634 | The logoff process was completed for a user. |
| 4647 | A user initiated the logoff process. |
| 4648 | A user successfully logged on to a computer using explicit credentials while already logged on as a different user. |
| 4779 | A user disconnected a terminal server session without logging off. |
When event 528 is logged, a logon type is also listed in the event log. The following table describes each logon type.

48
windows/security/threat-protection/index.md
View File

@ -17,20 +17,20 @@ ms.topic: conceptual
---
# Threat Protection
[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Microsoft Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture.
[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Microsoft Defender ATP protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture.
>[!TIP]
> [!TIP]
> Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](https://docs.microsoft.com/enterprise-mobility-security/remote-work/).
<center><h2>Microsoft Defender ATP</center></h2>
<table>
<tr>
<td><a href="#tvm"><center><img src="images/TVM_icon.png"> <br><b>Threat & Vulnerability Management</b></center></a></td>
<td><a href="#asr"><center><img src="images/asr-icon.png"> <br><b>Attack surface reduction</b></center></a></td>
<td><center><a href="#ngp"><img src="images/ngp-icon.png"><br> <b>Next-generation protection</b></a></center></td>
<td><center><a href="#edr"><img src="images/edr-icon.png"><br> <b>Endpoint detection and response</b></a></center></td>
<td><center><a href="#ai"><img src="images/air-icon.png"><br> <b>Automated investigation and remediation</b></a></center></td>
<td><center><a href="#mte"><img src="images/mte-icon.png"><br> <b>Microsoft Threat Experts</b></a></center></td>
<td><a href="#tvm"><center><img src="images/TVM_icon.png" alt="threat and vulnerability icon"> <br><b>Threat & vulnerability management</b></center></a></td>
<td><a href="#asr"><center><img src="images/asr-icon.png" alt="attack surface reduction icon"> <br><b>Attack surface reduction</b></center></a></td>
<td><center><a href="#ngp"><img src="images/ngp-icon.png" alt="next generation protection icon"><br> <b>Next-generation protection</b></a></center></td>
<td><center><a href="#edr"><img src="images/edr-icon.png" alt="endpoint detection and response icon"><br> <b>Endpoint detection and response</b></a></center></td>
<td><center><a href="#ai"><img src="images/air-icon.png" alt="automated investigation and remediation icon"><br> <b>Automated investigation and remediation</b></a></center></td>
<td><center><a href="#mte"><img src="images/mte-icon.png" alt="microsoft threat experts icon"><br> <b>Microsoft Threat Experts</b></a></center></td>
</tr>
<tr>
<td colspan="7">
@ -47,19 +47,14 @@ ms.topic: conceptual
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq]
**[Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)**<br>
**[Threat & vulnerability management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)**<br>
This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
- [Risk-based Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
- [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
- [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
- [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md)
- [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md)
- [Remediation](microsoft-defender-atp/tvm-remediation.md)
- [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
- [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md)
- [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md)
- [Threat & vulnerability management overview](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
- [Get started](microsoft-defender-atp/tvm-prerequisites.md)
- [Access your security posture](microsoft-defender-atp/tvm-dashboard-insights.md)
- [Improve your security posture and reduce risk](microsoft-defender-atp/tvm-security-recommendation.md)
- [Understand vulnerabilities on your devices](microsoft-defender-atp/tvm-software-inventory.md)
<a name="asr"></a>
@ -103,25 +98,16 @@ Endpoint detection and response capabilities are put in place to detect, investi
<a name="ai"></a>
**[Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)**<br>
In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
In addition to quickly responding to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
- [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)
- [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md)
- [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md)
<a name="ss"></a>
**[Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md)**<br>
Microsoft Defender ATP includes a Microsoft Secure Score for Devices to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
- [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md)
- [Threat analytics](microsoft-defender-atp/threat-analytics.md)
<a name="mte"></a>
**[Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)**<br>
Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization and additional context and insights that further empower Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately.
Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights. Microsoft Threat Experts further empowers Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately.
- [Targeted attack notification](microsoft-defender-atp/microsoft-threat-experts.md)
- [Experts-on-demand](microsoft-defender-atp/microsoft-threat-experts.md)
@ -149,4 +135,4 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf
<a name="mtp"></a>
**[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**<br>
With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate and automatically respond to sophisticated attacks.
With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.

3
windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
View File

@ -12,6 +12,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
ms.date: 10/21/2020
---
# Configure and validate exclusions based on file extension and folder location
@ -187,7 +188,7 @@ The following table describes how the wildcards can be used and provides some ex
|Wildcard |Examples |
|---------|---------|
|`*` (asterisk) <br/><br/>In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument. <br/><br/>In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`<br/><br/>`C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders` <br/><br/>`C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` |
|`?` (question mark) <br/><br/>In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument. <br/><br/>In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my` would include `C:\MyData\my1.zip` <br/><br/>`C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders <br/><br/>`C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders |
|`?` (question mark) <br/><br/>In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument. <br/><br/>In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my?` would include `C:\MyData\my1.zip` <br/><br/>`C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders <br/><br/>`C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders |
|Environment variables <br/><br/>The defined variable is populated as a path when the exclusion is evaluated. |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt` |

11
windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
View File

@ -61,10 +61,10 @@ You can also randomize the times when each endpoint checks and downloads protect
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following settings:
5. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Intelligence Updates** and configure the following settings:
1. Double-click the **Specify the interval to check for security intelligence updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**.
2. Double-click the **Specify the day of the week to check for security intelligence updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**.
1. Double-click the **Specify the day of the week to check for security intelligence updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**.
2. Double-click the **Specify the interval to check for security intelligence updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**.
3. Double-click the **Specify the time to check for security intelligence updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**.
@ -103,8 +103,3 @@ See the following for more information and allowed parameters:
- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)

3
windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
View File

@ -13,7 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
ms.date: 10/08/2020
ms.date: 10/21/2020
---
# Manage Microsoft Defender Antivirus updates and apply baselines
@ -319,6 +319,7 @@ The below table provides the Microsoft Defender Antivirus platform and engine ve
|Windows 10 release |Platform version |Engine version |Support phase |
|-|-|-|-|
|2004 (20H1) |4.18.2004.6 |1.1.17000.2 | Technical upgrade Support (Only) |
|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade Support (Only) |
|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade Support (Only) |
|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade Support (Only) |

4
windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
View File

@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 02/19/2019
ms.date: 10/21/2020
ms.reviewer:
manager: dansimp
ms.custom: asr
@ -17,7 +17,7 @@ ms.custom: asr
# Prepare to install Microsoft Defender Application Guard
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
## Review system requirements

2
windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md
View File

@ -24,7 +24,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)

2
windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
View File

@ -21,7 +21,7 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)

2
windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
View File

@ -24,7 +24,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink)

80
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md Normal file
View File

@ -0,0 +1,80 @@
---
title: AssignedIPAddresses() function in advanced hunting for Microsoft Defender Advanced Threat Protection
description: Learn how to use the AssignedIPAddresses() function to get the latest IP addresses assigned to a device
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 09/20/2020
---
# AssignedIPAddresses()
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Use the `AssignedIPAddresses()` function in your advanced hunting queries to quickly obtain the latest IP addresses that have been assigned to a device. If you specify a timestamp argument, this function obtains the most recent IP addresses at the specified time.
This function returns a table with the following columns:
Column | Data type | Description
-|-|-
`Timestamp` | datetime | Latest time when the device was observed using the IP address
`IPAddress` | string | IP address used by the device
`IPType` | string | Indicates whether the IP address is a public or private address
`NetworkAdapterType` | int | Network adapter type used by the device that has been assigned the IP address. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype)
`ConnectedNetworks` | int | Networks that the adapter with the assigned IP address is connected to. Each JSON array contains the network name, category (public, private, or domain), a description, and a flag indicating if it's connected publicly to the internet
## Syntax
```kusto
AssignedIPAddresses(x, y)
```
## Arguments
- **x**`DeviceId` or `DeviceName` value identifying the device
- **y**`Timestamp` (datetime) value instructing the function to obtain the most recent assigned IP addresses from a specific time. If not specified, the function returns the latest IP addresses.
## Examples
### Get the list of IP addresses used by a device 24 hours ago
```kusto
AssignedIPAddresses('example-device-name', ago(1d))
```
### Get IP addresses used by a device and find devices communicating with it
This query uses the `AssignedIPAddresses()` function to get assigned IP addresses for the device (`example-device-name`) on or before a specific date (`example-date`). It then uses the IP addresses to find connections to the device initiated by other devices.
```kusto
let Date = datetime(example-date);
let DeviceName = "example-device-name";
// List IP addresses used on or before the specified date
AssignedIPAddresses(DeviceName, Date)
| project DeviceName, IPAddress, AssignedTime = Timestamp
// Get all network events on devices with the assigned IP addresses as the destination addresses
| join kind=inner DeviceNetworkEvents on $left.IPAddress == $right.RemoteIP
// Get only network events around the time the IP address was assigned
| where Timestamp between ((AssignedTime - 1h) .. (AssignedTime + 1h))
```
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)

13
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
View File

@ -21,14 +21,16 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink)
## Optimize query performance
Apply these recommendations to get results faster and avoid timeouts while running complex queries.
- When trying new queries, always use `limit` to avoid extremely large result sets. You can also initially assess the size of the result set using `count`.
- Use time filters first. Ideally, limit your queries to seven days.
- Put filters that are expected to remove most of the data in the beginning of the query, right after the time filter.
@ -43,6 +45,7 @@ Apply these recommendations to get results faster and avoid timeouts while runni
## Query tips and pitfalls
### Queries with process IDs
Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific device, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the device identifier (either `DeviceId` or `DeviceName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`).
The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares.
@ -57,6 +60,7 @@ DeviceNetworkEvents
The query summarizes by both `InitiatingProcessId` and `InitiatingProcessCreationTime` so that it looks at a single process, without mixing multiple processes with the same process ID.
### Queries with command lines
Command lines can vary. When applicable, filter on file names and do fuzzy matching.
There are numerous ways to construct a command line to accomplish a task. For example, an attacker could reference an image file with or without a path, without a file extension, using environment variables, or with quotes. In addition, the attacker could also change the order of parameters or add multiple quotes and spaces.
@ -87,9 +91,12 @@ DeviceProcessEvents
| where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc"
```
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Custom detections overview](overview-custom-detections.md)

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md
View File

@ -25,7 +25,7 @@ ms.date: 01/22/2020
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
View File

@ -24,7 +24,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md
View File

@ -25,7 +25,7 @@ ms.date: 01/14/2020
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
View File

@ -24,7 +24,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
View File

@ -24,7 +24,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
View File

@ -24,7 +24,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
View File

@ -24,7 +24,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
View File

@ -24,7 +24,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
View File

@ -24,7 +24,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
View File

@ -24,7 +24,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
View File

@ -24,7 +24,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
View File

@ -24,7 +24,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md
View File

@ -24,7 +24,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md
View File

@ -24,7 +24,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md
View File

@ -24,7 +24,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md
View File

@ -22,7 +22,7 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)

48
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md Normal file
View File

@ -0,0 +1,48 @@
---
title: Extend advanced hunting coverage with the right settings
description: Check auditing settings on Windows devices and other settings to help ensure that you get the most comprehensive data in advanced hunting
keywords: advanced hunting, incident, pivot, entity, audit settings, user account management, security group management, threat hunting, cyber threat hunting, search, query, telemetry, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/10/2020
---
# Extend advanced hunting coverage with the right settings
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
[Advanced hunting](advanced-hunting-overview.md) relies on data coming from across your organization. To get the most comprehensive data possible, ensure that you have the correct settings in the corresponding data sources.
## Advanced security auditing on Windows devices
Turn on these advanced auditing settings to ensure you get data about activities on your devices, including local account management, local security group management, and service creation.
Data | Description | Schema table | How to configure
-|-|-|-
Account management | Events captured as various `ActionType` values indicating local account creation, deletion, and other account-related activities | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit User Account Management](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-user-account-management)<br> - [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing)
Security group management | Events captured as various `ActionType` values indicating local security group creation and other local group management activities | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit Security Group Management](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-security-group-management)<br> - [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing)
Service installation | Events captured with the `ActionType` value `ServiceInstalled`, indicating that a service has been created | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit Security System Extension](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-security-system-extension)<br> - [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing)
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Apply query best practices](advanced-hunting-best-practices.md)
- [Custom detections overview](overview-custom-detections.md)

85
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md Normal file
View File

@ -0,0 +1,85 @@
---
title: FileProfile() function in advanced hunting for Microsoft Defender Advanced Threat Protection
description: Learn how to use the FileProfile() to enrich information about files in your advanced hunting query results
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 09/20/2020
---
# FileProfile()
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
The `FileProfile()` function is an enrichment function in [advanced hunting](advanced-hunting-overview.md) that adds the following data to files found by the query.
Column | Data type | Description
-|-|-
SHA1 | string | SHA-1 of the file that the recorded action was applied to
SHA256 | string | SHA-256 of the file that the recorded action was applied to
MD5 | string | MD5 hash of the file that the recorded action was applied to
FileSize | int | Size of the file in bytes
GlobalPrevalence | int | Number of instances of the entity observed by Microsoft globally
GlobalFirstSeen | datetime | Date and time when the entity was first observed by Microsoft globally
GlobalLastSeen | datetime | Date and time when the entity was last observed by Microsoft globally
Signer | string | Information about the signer of the file
Issuer | string | Information about the issuing certificate authority (CA)
SignerHash | string | Unique hash value identifying the signer
IsCertificateValid | boolean | Whether the certificate used to sign the file is valid
IsRootSignerMicrosoft | boolean | Indicates whether the signer of the root certificate is Microsoft
IsExecutable | boolean | Whether the file is a Portable Executable (PE) file
ThreatName | string | Detection name for any malware or other threats found
Publisher | string | Name of the organization that published the file
SoftwareName | string | Name of the software product
## Syntax
```kusto
invoke FileProfile(x,y)
```
## Arguments
- **x** — file ID column to use: `SHA1`, `SHA256`, `InitiatingProcessSHA1` or `InitiatingProcessSHA256`; function uses `SHA1` if unspecified
- **y** — limit to the number of records to enrich, 1-1000; function uses 100 if unspecified
## Examples
### Project only the SHA1 column and enrich it
```kusto
DeviceFileEvents
| where isnotempty(SHA1) and Timestamp > ago(1d)
| take 10
| project SHA1
| invoke FileProfile()
```
### Enrich the first 500 records and list low-prevalence files
```kusto
DeviceFileEvents
| where ActionType == "FileCreated" and Timestamp > ago(1d)
| project CreatedOn = Timestamp, FileName, FolderPath, SHA1
| invoke FileProfile("SHA1", 500)
| where GlobalPrevalence < 15
```
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)

107
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md Normal file
View File

@ -0,0 +1,107 @@
---
title: Get relevant info about an entity with go hunt
description: Learn how to use the "go hunt" tool to quickly query for relevant information about an entity or event using advanced hunting.
keywords: advanced hunting, incident, pivot, entity, go hunt, relevant events, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft Threat Protection
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
f1.keywords:
- NOCSH
ms.author: v-maave
author: martyav
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Quickly hunt for entity or event information with go hunt
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
With the *go hunt* action, you can quickly investigate events and various entity types using powerful query-based [advanced hunting](advanced-hunting-overview.md) capabilities. This action automatically runs an advanced hunting query to find relevant information about the selected event or entity.
The *go hunt* action is available in various sections of the security center whenever event or entity details are displayed. For example, you can use *go hunt* from the following sections:
- In the [incident page](investigate-incidents.md), you can review details about users, devices, and many other entities associated with an incident. When you select an entity, you get additional information as well as various actions you could take on that entity. In the example below, a device is selected, showing details about the device as well the option to hunt for more information about the device.
![Image showing device details with the go hunt option](./images/go-hunt-device.png)
- In the incident page, you can also access a list of entities under the evidence tab. Selecting one of those entities provides an option to quickly hunt for information about that entity.
![Image showing selected url with the go hunt option in the Evidence tab](./images/go-hunt-evidence-url.png)
- When viewing the timeline for a device, you can select an event in the timeline to view additional information about that event. Once an event is selected, you get the option to hunt for other relevant events in advanced hunting.
![Image showing event details with the go hunt option](./images/go-hunt-event.png)
Selecting **Go hunt** or **Hunt for related events** passes different queries, depending on whether you've selected an entity or an event.
## Query for entity information
When using *go hunt* to query for information about a user, device, or any other type of entity, the query checks all relevant schema tables for any events involving that entity. To keep the results manageable, the query is scoped to around the same time period as the earliest activity in the past 30 days that involves the entity and is associated with the incident.
Here is an example of the go hunt query for a device:
```kusto
let selectedTimestamp = datetime(2020-06-02T02:06:47.1167157Z);
let deviceName = "fv-az770.example.com";
let deviceId = "device-guid";
search in (DeviceLogonEvents, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceImageLoadEvents, DeviceEvents, DeviceImageLoadEvents, IdentityLogonEvents, IdentityQueryEvents)
Timestamp between ((selectedTimestamp - 1h) .. (selectedTimestamp + 1h))
and DeviceName == deviceName
// or RemoteDeviceName == deviceName
// or DeviceId == deviceId
| take 100
```
### Supported entity types
You can use *go hunt* after selecting any of these entity types:
- Files
- Users
- Devices
- IP addresses
- URLs
## Query for event information
When using *go hunt* to query for information about a timeline event, the query checks all relevant schema tables for other events around the time of the selected event. For example, the following query lists events in various schema tables that occurred around the same time period on the same device:
```kusto
// List relevant events 30 minutes before and after selected RegistryValueSet event
let selectedEventTimestamp = datetime(2020-10-06T21:40:25.3466868Z);
search in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents, DeviceLogonEvents)
Timestamp between ((selectedEventTimestamp - 30m) .. (selectedEventTimestamp + 30m))
and DeviceId == "a305b52049c4658ec63ae8b55becfe5954c654a4"
| sort by Timestamp desc
| extend Relevance = iff(Timestamp == selectedEventTimestamp, "Selected event", iff(Timestamp < selectedEventTimestamp, "Earlier event", "Later event"))
| project-reorder Relevance
```
## Adjust the query
With some knowledge of the [query language](advanced-hunting-query-language.md), you can adjust the query to your preference. For example, you can adjust this line, which determines the size of the time window:
```kusto
Timestamp between ((selectedTimestamp - 1h) .. (selectedTimestamp + 1h))
```
In addition to modifying the query to get more relevant results, you can also:
- [View the results as charts](advanced-hunting-query-results.md#view-query-results-as-a-table-or-chart)
- [Create a custom detection rule](custom-detection-rules.md)
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Custom detection rules](custom-detection-rules.md)

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md
View File

@ -22,7 +22,7 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)

20
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
View File

@ -22,24 +22,26 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats.
Watch this video for a quick overview of advanced hunting and a short tutorial that will get you started fast.
<br />
<br />
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqo]
You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and then respond to suspected breach activity, misconfigured machines, and other findings.
>[!TIP]
>Use [advanced hunting in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview) to hunt for threats using data from Microsoft Defender ATP, Office 365 ATP, Microsoft Cloud App Security, and Azure ATP. [Turn on Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable)
## Get started with advanced hunting
Watch this video for a quick overview of advanced hunting and a short tutorial that will get you started fast.
<p></p>
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqo]
You can also go through each of the following steps to ramp up your advanced hunting knowledge.
Go through the following steps to ramp up your advanced hunting knowledge.
We recommend going through several steps to quickly get up and running with advanced hunting.
@ -50,18 +52,24 @@ We recommend going through several steps to quickly get up and running with adva
| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. Learn where to look for data when constructing your queries. | [Schema reference](advanced-hunting-schema-reference.md) |
| **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) |
| **Optimize queries and handle errors** | Understand how to create efficient and error-free queries. | - [Query best practices](advanced-hunting-best-practices.md)<br>- [Handle errors](advanced-hunting-errors.md) |
| **Get the most complete coverage** | Use audit settings to provide better data coverage for your organization. | - [Extend advanced hunting coverage](advanced-hunting-extend-data.md) |
| **Run a quick investigation** | Quickly run an advanced hunting query to investigate suspicious activity. | - [Quickly hunt for entity or event information with *go hunt*](advanced-hunting-go-hunt.md) |
| **Contain threats and address compromises** | Respond to attacks by quarantining files, restricting app execution, and other actions | - [Take action on advanced hunting query results](advanced-hunting-take-action.md) |
| **Create custom detection rules** | Understand how you can use advanced hunting queries to trigger alerts and take response actions automatically. | - [Custom detections overview](overview-custom-detections.md)<br>- [Custom detection rules](custom-detection-rules.md) |
## Data freshness and update frequency
Advanced hunting data can be categorized into two distinct types, each consolidated differently.
- **Event or activity data**—populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to Microsoft Defender ATP.
- **Entity data**—populates tables with consolidated information about users and devices. This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. To provide fresh data, tables are updated with any new information every 15 minutes, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.
## Time zone
Time information in advanced hunting is currently in the UTC time zone.
## Related topics
- [Learn the query language](advanced-hunting-query-language.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Use shared queries](advanced-hunting-shared-queries.md)

7
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
View File

@ -22,9 +22,9 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto operators and statements to construct queries that locate information in a specialized [schema](advanced-hunting-schema-reference.md). To understand these concepts better, run your first query.
@ -176,7 +176,6 @@ For detailed information about the query language, see [Kusto query language doc
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Use shared queries](advanced-hunting-shared-queries.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Apply query best practices](advanced-hunting-best-practices.md)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)

12
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
View File

@ -23,7 +23,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
@ -116,6 +116,12 @@ After running a query, select **Export** to save the results to local file. Your
## Drill down from query results
To view more information about entities, such as devices, files, users, IP addresses, and URLs, in your query results, simply click the entity identifier. This opens a detailed profile page for the selected entity.
To quickly inspect a record in your query results, select the corresponding row to open the Inspect record panel. The panel provides the following information based on the selected record:
- **Assets** — A summarized view of the main assets (mailboxes, devices, and users) found in the record, enriched with available information, such as risk and exposure levels
- **Process tree** — A chart generated for records with process information and enriched using available contextual information; in general, queries that return more columns can result in richer process trees.
- **All details** — Lists all the values from the columns in the record
## Tweak your queries from the results
Right-click a value in the result set to quickly enhance your query. You can use the options to:
@ -126,9 +132,9 @@ Right-click a value in the result set to quickly enhance your query. You can use
![Image of advanced hunting result set](images/advanced-hunting-results-filter.png)
## Filter the query results
The filters displayed to the right provide a summary of the result set. Each column has its own section that lists the distinct values found for that column and the number of instances.
The filters displayed in the right pane provide a summary of the result set. Every column has its own section in the pane, each of which lists the values found in that column, and the number of instances.
Refine your query by selecting the `+` or `-` buttons on the values that you want to include or exclude and then selecting **Run query**.
Refine your query by selecting the `+` or `-` buttons on the values that you want to include or exclude. Then select **Run query**.
![Image of advanced hunting filter](images/advanced-hunting-filter.png)

7
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
View File

@ -24,7 +24,7 @@ ms.date: 01/14/2020
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
@ -69,8 +69,11 @@ Table and column names are also listed within the Microsoft Defender Security Ce
| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-devicetvmsecureconfigurationassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices |
| **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)** | Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Apply query best practices](advanced-hunting-best-practices.md)
- [Custom detections overview](overview-custom-detections.md)
- [Advanced hunting data schema changes](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914)

8
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
View File

@ -23,7 +23,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
@ -43,7 +43,7 @@ You can save a new or existing query so that it is only accessible to you or sha
![Image of saving a query](images/advanced-hunting-save-query.png)
4. Select the folder where you'd like to save the query.
- **Shared queries** — shared to all users in the your organization
- **Shared queries** — shared to all users in your organization
- **My queries** — accessible only to you
5. Select **Save**.
@ -67,3 +67,7 @@ Microsoft security researchers regularly share advanced hunting queries in a [de
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Apply query best practices](advanced-hunting-best-practices.md)
- [Custom detections overview](overview-custom-detections.md)

82
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md Normal file
View File

@ -0,0 +1,82 @@
---
title: Take action on advanced hunting query results in Microsoft Threat Protection
description: Quickly address threats and affected assets in your advanced hunting query results
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 09/20/2020
---
# Take action on advanced hunting query results
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
You can quickly contain threats or address compromised assets that you find in [advanced hunting](advanced-hunting-overview.md) using powerful and comprehensive action options. With these options, you can:
- Take various actions on devices
- Quarantine files
## Required permissions
To be able to take action through advanced hunting, you need a role in Microsoft Defender ATP with [permissions to submit remediation actions on devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#permission-options). If you can't take action, contact a global administrator about getting the following permission:
*Active remediation actions > Threat and vulnerability management - Remediation handling*
## Take various actions on devices
You can take the following actions on devices identified by the `DeviceId` column in your query results:
- Isolate affected devices to contain an infection or prevent attacks from moving laterally
- Collect investigation package to obtain more forensic information
- Run an antivirus scan to find and remove threats using the latest security intelligence updates
- Initiate an automated investigation to check and remediate threats on the device and possibly other affected devices
- Restrict app execution to only Microsoft-signed executable files, preventing subsequent threat activity through malware or other untrusted executables
To learn more about how these response actions are performed through Microsoft Defender ATP, [read about response actions on devices](respond-machine-alerts.md).
## Quarantine files
You can deploy the *quarantine* action on files so that they are automatically quarantined when encountered. When selecting this action, you can choose between the following columns to identify which files in your query results to quarantine:
- `SHA1` — In most advanced hunting tables, this is the SHA-1 of the file that was affected by the recorded action. For example, if a file was copied, this would be the copied file.
- `InitiatingProcessSHA1` — In most advanced hunting tables, this is the file responsible for initiating the recorded action. For example, if a child process was launched, this would be the parent process.
- `SHA256` — This is the SHA-256 equivalent of the file identified by the `SHA1` column.
- `InitiatingProcessSHA256` — This is the SHA-256 equivalent of the file identified by the `InitiatingProcessSHA1` column.
To learn more about how quarantine actions are taken and how files can be restored, [read about response actions on files](respond-file-alerts.md).
>[!NOTE]
>To locate files and quarantine them, the query results should also include `DeviceId` values as device identifiers.
## Take action
To take any of the described actions, select one or more records in your query results and then select **Take actions**. A wizard will guide you through the process of selecting and then submitting your preferred actions.
![Image of selected record with panel for inspecting the record](images/ah-take-actions.png)
## Review actions taken
Each action is individually recorded in the action center, under **Action center** > **History** ([security.microsoft.com/action-center/history](https://security.microsoft.com/action-center/history)). Go to the action center to check the status of each action.
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Apply query best practices](advanced-hunting-best-practices.md)
- [Custom detections overview](overview-custom-detections.md)

2
windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
View File

@ -25,7 +25,7 @@ ms.date: 03/27/2020
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-alertsq-abovefoldlink)

2
windows/security/threat-protection/microsoft-defender-atp/alerts.md
View File

@ -21,7 +21,7 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)

2
windows/security/threat-protection/microsoft-defender-atp/api-explorer.md
View File

@ -25,7 +25,7 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
The Microsoft Defender ATP API Explorer is a tool that helps you explore various Microsoft Defender ATP APIs interactively.

2
windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
View File

@ -22,7 +22,7 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)

2
windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
View File

@ -22,7 +22,7 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)

2
windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
View File

@ -24,7 +24,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink)

2
windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
View File

@ -22,7 +22,7 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)

2
windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
View File

@ -23,7 +23,7 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)

2
windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
View File

@ -26,7 +26,7 @@ ms.date: 11/28/2018
**Applies to:**
- Azure Active Directory
- Office 365
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)

2
windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
View File

@ -25,7 +25,7 @@ ms.date: 11/20/2018
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink)

2
windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
View File

@ -23,7 +23,7 @@ ms.custom: asr
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
## Is attack surface reduction (ASR) part of Windows?

2
windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
View File

@ -24,7 +24,7 @@ ms.date: 10/08/2020
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Your attack surface is the total number of places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means offering attackers fewer ways to perform attacks.

2
windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
View File

@ -22,7 +22,7 @@ manager: dansimp
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. Audit mode lets you see a record of what *would* have happened if you had enabled the feature.

35
windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
View File

@ -11,7 +11,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: deniseb
author: denisebmsft
ms.date: 09/30/2020
ms.date: 10/21/2020
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@ -27,15 +27,21 @@ ms.custom: AIR
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806)
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh]
Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. Security operations teams face challenges in addressing the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation capabilities that can help your security operations team address threats more efficiently and effectively.
Watch the following video to see how automated investigation and remediation works:
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4bOeh]
Automated investigation uses various inspection algorithms and processes used by analysts to examine alerts and take immediate action to resolve breaches. These capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and any pending or completed actions.
> [!TIP]
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink).
## How the automated investigation starts
@ -72,28 +78,19 @@ If an incriminated entity is seen in another device, the automated investigation
## How threats are remediated
Depending on how you set up the device groups and their level of automation, each automated investigation either requires user approval (default) or automatically takes action to remediate threats.
As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*.
> [!NOTE]
> Microsoft Defender for Endpoint tenants created on or after August 16, 2020 have **Full - remediate threats automatically** selected by default. You can keep the default setting, or change it according to your organizational needs. To change your settings, [adjust your device group settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
As verdicts are reached, automated investigations can result in one or more remediation actions. Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more. (See [Remediation actions](manage-auto-investigation.md#remediation-actions).)
You can configure the following levels of automation:
Depending on the [level of automation](automation-levels.md) set for your organization, remediation actions can occur automatically or only upon approval by your security operations team.
|Automation level | Description|
|---|---|
|**Full - remediate threats automatically** | All remediation actions are performed automatically. Remediation actions that were taken can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab.<br/><br/>***This option is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.* <br/><br/>*If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**.* |
|**Semi - require approval for core folders remediation** | Approval is required for remediation actions on files or executables that are in core folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md). <br/><br/>Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`). |
|**Semi - require approval for non-temp folders remediation** | Approval is required for remediation actions on files or executables that are not in temporary folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/> Remediation actions can be taken automatically on files or executables that are in temporary folders. Temporary folders can include the following examples: <br/>- `\users\*\appdata\local\temp\*`<br/>- `\documents and settings\*\local settings\temp\*` <br/>- `\documents and settings\*\local settings\temporary\*`<br/>- `\windows\temp\*`<br/>- `\users\*\downloads\*`<br/>- `\program files\` <br/>- `\program files (x86)\*`<br/>- `\documents and settings\*\users\*` |
|**Semi - require approval for any remediation** | Approval is required for any remediation action. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/>*This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*<br/><br/>*If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
|**No automated response** | Automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. <br/><br/>***This option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)* |
> [!IMPORTANT]
> If your tenant already has device groups defined, then the automation level settings are not changed for those device groups.
All remediation actions, whether pending or completed, can be viewed in Action Center. If necessary, your security operations team can undo a remediation action. (See [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation).)
## Next steps
- [Learn about the automated investigations dashboard](manage-auto-investigation.md)
- [Get an overview of the automated investigations dashboard](manage-auto-investigation.md)
- [Learn more about automation levels](automation-levels.md)
- [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide)

62
windows/security/threat-protection/microsoft-defender-atp/automation-levels.md Normal file
View File

@ -0,0 +1,62 @@
---
title: Automation levels in automated investigation and remediation
description: Get an overview of automation levels and how they work in Microsoft Defender for Endpoint
keywords: automated, investigation, level, defender atp
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: deniseb
author: denisebmsft
ms.date: 10/22/2020
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
ms.topic: conceptual
ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
ms.custom: AIR
---
# Automation levels in automated investigation and remediation capabilities
Automated investigation and remediation (AIR) capabilities in Microsoft Defender for Endpoint can be configured to one of several levels of automation. Your automation level affects whether remediation actions following AIR investigations are taken automatically or only upon approval.
- *Full automation* (recommended) means remediation actions are taken automatically on artifacts determined to be malicious.
- *Semi-automation* means some remediation actions are taken automatically, but other remediation actions await approval before being taken. (See the table in [Levels of automation](#levels-of-automation).)
- All remediation actions, whether pending or completed, are tracked in the Action Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
> [!TIP]
> For best results, we recommend using full automation when you [configure AIR](configure-automated-investigations-remediation.md). Data collected and analyzed over the past year shows that customers who are using full automation had 40% more high-confidence malware samples removed than customers who are using lower levels of automation. Full automation can help free up your security operations resources to focus more on your strategic initiatives.
## Levels of automation
The following table describes each level of automation and how it works.
|Automation level | Description|
|:---|:---|
|**Full - remediate threats automatically** <br/>(also referred to as *full automation*)| With full automation, remediation actions are performed automatically. All remediation actions that are taken can be viewed in the [Action Center](auto-investigation-action-center.md) on the **History** tab. If necessary, a remediation action can be undone.<br/><br/>***Full automation is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.* |
|**Semi - require approval for any remediation** <br/>(also referred to as *semi-automation*)| With this level of semi-automation, approval is required for *any* remediation action. Such pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.<br/><br/>*This level of semi-automation is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*|
|**Semi - require approval for core folders remediation** <br/>(also a type of *semi-automation*) | With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are in core folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`).<br/><br/>Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. <br/><br/>Pending actions for files or executables in core folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab. <br/><br/>Actions that were taken on files or executables in other folders can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab. |
|**Semi - require approval for non-temp folders remediation** <br/>(also a type of *semi-automation*)| With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are *not* in temporary folders. <br/><br/>Temporary folders can include the following examples: <br/>- `\users\*\appdata\local\temp\*`<br/>- `\documents and settings\*\local settings\temp\*` <br/>- `\documents and settings\*\local settings\temporary\*`<br/>- `\windows\temp\*`<br/>- `\users\*\downloads\*`<br/>- `\program files\` <br/>- `\program files (x86)\*`<br/>- `\documents and settings\*\users\*`<br/><br/>Remediation actions can be taken automatically on files or executables that are in temporary folders. <br/><br/>Pending actions for files or executables that are not in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.<br/><br/>Actions that were taken on files or executables in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **History** tab. |
|**No automated response** <br/>(also referred to as *no automation*) | With no automation, automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. However, other threat protection features, such as [protection from potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus), can be in effect, depending on how your antivirus and next-generation protection features are configured.<br/><br/>***Using the *no automation* option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up your automation level to full automation (or at least semi-automation)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)*. |
## Important points about automation levels
- Full automation has proven to be reliable, efficient, and safe, and is recommended for all customers. Full automation frees up your critical security resources so they can focus more on your strategic initiatives.
- New tenants (which include tenants that were created on or after August 16, 2020) with Microsoft Defender for Endpoint are set to full automation by default.
- If your security team has defined device groups with a level of automation, those settings are not changed by the new default settings that are rolling out.
- You can keep your default automation settings, or change them according to your organizational needs. To change your settings, [set your level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
## Next steps
- [Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint](configure-automated-investigations-remediation.md)
- [Visit the Action Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center)

2
windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
View File

@ -24,7 +24,7 @@ ms.topic: article
**Applies to:**
- Azure Active Directory
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-basicaccess-abovefoldlink)

Some files were not shown because too many files have changed in this diff Show More